Z-WASP attack: Phishers are using a recently fixed flaw in Office 365 that allows them to bypass protections using zero-width spaces and deliver malicious messages to recipients.
Microsoft recently fixed a vulnerability in Office 365 that was exploited by attackers to bypass existing phishing protections and deliver malicious messages to victims’ inboxes.
The vulnerability ties with the use of zero-width spaces (ZWSPs) in malicious URLs within the RAW HTML of the emails. This trick allows splitting the URLs making impossible for defense systems to detect malicious messages.
Experts pointed out that both URL reputation check and Safe Links protections are bypassed using this technique.
The bad news is that the recipient would not be able to detect the spaces because they are not rendered.
Experts from cloud-security firm Avanan first observed a campaign busing this issue on November 10. Microsoft addressed the issue on January 9.
“The name Z-WASP references the zero-width space () that hackers added to the middle of a malicious URL within the RAW HTML of the email. With all these special characters breaking up the URL, Microsoft email processing didn’t not recognize the URL for what it was, so domain reputation checks and Safe Links didn’t apply ” reportedAvanan.
“Z-WASP emails flooded inboxes around November 10, when we detected the problem. And since these zero-width spaces don’t render, the recipient couldn’t see the random special characters in the URL.”
Experts discovered the flaw when noticed a large number of phishers using zero-width spaces (ZWSPs) to obfuscate links in malicious emails to Office 365.
“The vulnerability was discovered when we noticed a large number of hackers using zero-width spaces (ZWSPs) to obfuscate links in phishing emails to Office 365, hiding the phishing URL from Office 365 Security and Office 365 ATP.” continues the analysis published by Avanan.
ZWSPs are characters that render to spaces of zero-width, they could be rendered as “empty space” characters. They are 5 ZWSP entities, namely (Zero-Width Space), (Zero-Width Non-Joiner), (Zero-Width Joiner), (Zero-Width No-Break Space), and ０ (Full-Width Digit Zero).
Experts explained that in raw HTML form, ZWSPs appear like a mishmash of numbers and special characters randomly inserted between the letters a word or a URL. Once rendered in the web browser, hey appear as invisible.
ZWSPs are part of ordinary formatting the Internet, they are used for fingerprinting articles and documents, formatting foreign languages, and breaking long words at the end of a line and continuing them on the next line.
In the campaigns observed by the experts, phishers added the Zero-Width Non-Joiner () in the middle of a malicious URL within the RAW HTML of an email, The email processing system failed to recognize the URL as legitimate and the protections were bypassed.
The messages used in the campaign included links pointing to phishing pages used to harvest credentials of Chase Bank’customers.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.