ZeroFont Email Filter Bypass Technique

A new technique - known as ZeroFont - for bypassing Window's automatic email filtering has been detailed.

Threat ID:: CC-2501
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 20 June 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A new technique - known as ZeroFont - for bypassing Window's automatic email filtering has been detailed.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

Attackers may use this technique to enhance their spam and phishing campaigns.

Microsoft uses natural language processing (NLP) to examine the HTML content of emails for indicators of suspicious activity and flags the offending messages as fraudulent. ZeroFont circumvents this protection by embedding new 0 point characters within existing text strings. When an email using ZeroFont is received, Microsoft's NLP analyser will read all text contained within the HTML content whereas the user will only see whatever text is rendered on screen, with the 0 point font not shown.

This allow an attacker to display different text to the NLP analyser and the user, and could be used to force Microsoft's email filters to misidentify suspicious emails.

Remediation steps

Type	Step
	Whilst there is no specific remediation advice available to prevent the ZeroFont technique bypassing email filters, users should remain aware of the risks posed by spam or phishing emails. Guidance on how spot to potentially malicious emails can be found in the 'How to Identify Malicious Communications Within the NHS' best practice guide available on the Information Sharing Portal.

Last edited: 17 February 2020 12:58 pm