Microsoft recently fixed a vulnerability in Office 365 that was exploited by attackers to bypass existing phishing protections and deliver malicious messages to victims’ inboxes.
The vulnerability ties with the use of zero-width spaces (ZWSPs) in malicious URLs within the RAW HTML of the emails. This trick allows splitting the URLs making impossible for defense systems to detect malicious messages.
Experts pointed out that both URL reputation check and Safe Links protections are bypassed using this technique.
The bad news is that the recipient would not be able to detect the spaces because they are not rendered.
Experts from cloud-security firm Avanan first observed a campaign busing this issue on November 10. Microsoft addressed the issue on January 9.
“The name Z-WASP references the zero-width space () that hackers added to the middle of a malicious URL within the RAW HTML of the email. With all these special characters breaking up the URL, Microsoft email processing didn’t
“Z-WASP emails flooded inboxes around November 10, when we detected the problem. And since these zero-width spaces don’t render, the recipient couldn’t see the random special characters in the URL.”
Experts discovered the flaw when noticed a large number of phishers using zero-width spaces (ZWSPs) to obfuscate links in malicious emails to Office 365.
“The vulnerability was discovered when we noticed a large number of hackers using zero-width spaces (ZWSPs) to obfuscate links in phishing emails to Office 365, hiding the phishing URL from Office 365 Security and Office 365 ATP.” continues the analysis published by Avanan.
ZWSPs are characters that render to spaces of zero-width, they could be rendered as “empty space” characters. They are 5 ZWSP entities, namely (Zero-Width Space), (Zero-Width Non-Joiner), (Zero-Width Joiner), (Zero-Width No-Break Space), and ０ (Full-Width Digit Zero).
Experts explained that in raw HTML form, ZWSPs appear like a mishmash of numbers and special characters randomly inserted between the letters a word or a URL. Once rendered in the web browser, hey appear as invisible.
ZWSPs are part of ordinary formatting the Internet, they are used for fingerprinting articles and documents, formatting foreign languages, and breaking long words at the end of a line and continuing them on the next line.
In the campaigns observed by the experts, phishers added the Zero-Width Non-Joiner () in the middle of a malicious URL within the RAW HTML of an email, The email processing system failed to recognize the URL as legitimate and the protections were bypassed.
The messages used in the campaign included links pointing to phishing pages used to harvest credentials of Chase Bank’customers.
Below a video PoC of the attack published by Avanan:
(SecurityAffairs – Z-WASP, phishing)