A vulnerability in Microsoft 365’s anti-phishing measures allows malicious actors to deceive users into opening harmful emails by hiding the First Contact Safety Tip using simple HTML and CSS techniques. Despite the risks, Microsoft states the issue doesn’t meet the criteria for immediate servicing.
Cybersecurity researchers at Certitude have uncovered a vulnerability in Microsoft 365‘s (formerly Office 365) anti-phishing measures, potentially allowing malicious actors to deceive users into opening harmful emails. The discovery highlights a critical flaw in the system’s First Contact Safety Tip feature, which is designed to alert users when they receive emails from unfamiliar senders.
The First Contact Safety Tip, a prominent feature in Microsoft’s Exchange Online Protection (EOP) and Microsoft Defender, is intended to safeguard users by displaying a warning message when an email is received from an unrecognized address. However, researchers have demonstrated that this safety tip can be effectively hidden using simple HTML and CSS techniques, rendering it invisible to the recipient.
In a proof-of-concept experiment demonstrated on the company’s blog post, researchers manipulated the CSS styles within an HTML email to change the background and font colors to white, making the safety tip indiscernible against a white background. This technique bypasses the safety tip without altering the email’s content, thereby maintaining the deceptive appearance of a legitimate message.
Further exploiting this vulnerability, researchers also showed how attackers could spoof the icons indicating encrypted and signed emails, enhancing the deception. By carefully crafting the HTML code, attackers can mimic the appearance of a secure email, increasing the likelihood of a user falling for the phishing scam.
Despite the alarming nature of these findings, Microsoft has responded by stating that the issue does not meet their criteria for immediate servicing, as it primarily affects phishing attacks. This stance has raised concerns among cybersecurity experts, including Glenn Chisholm, Chief Product Officer at Obsidian Security, who emphasized the potential risks and urged Microsoft to reconsider its approach.
“This recent discovery is the latest innovation from phishing scammers,” Chisholm commented. “The research seems to highlight a flaw in the anti-phishing measures of Microsoft 365 and increases the chance of users falling victim to these scams. What is equally worrying is Microsoft’s refusal to address the issue as it ‘does not meet the bar for immediate servicing’. This is something that could cause serious problems for their users and needs to be taken seriously to avoid consequences in the future.”
As enterprises increasingly rely on SaaS applications like Microsoft 365 to store sensitive data and manage identities, the vulnerability underscores the need for heightened vigilance and continuous improvement in cybersecurity measures. Users are advised to remain cautious, report suspicious emails, and consult IT support teams to mitigate the risks associated with phishing attacks.
RELATED TOPICS
- New Phishing Attack Spoofs Microsoft 365 Authentication System
- CISA’s Sparrow.ps1 tool detects malicious activity on Microsoft 365
- 10 Crucial Security Tips to Reduce Data Loss in Microsoft Office 365
- Fake supreme court subpoena phishing steals Office 365 credentials
- ‘Zoom account suspended’ phishing scam Steal Office 365 credentials