Phishing is the most effective method for an attacker to infiltrate an organization. Several attack methods and techniques are available for an attacker to send a phishing email.
On the other hand, email clients such as Outlook or Gmail also have security measures to warn users whenever they receive an unknown email.
One such security measure is the “First Contact Safety Tip,” which alerts Outlook users whenever they receive an email from an unknown sender.
This alert warns the user, “You don’t often get email from [email protected]. Learn why this is important.”
This email helps many users avoid unknown senders or phishing emails. This feature is one of the many methods available for anti-phishing in Exchange Online and Microsoft Defender that can be used by organizations using Office 365.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
However, researchers have discovered a method to bypass this warning, which will make the phishing email more legitimate and thereby allow the user to interact with its contents or attachments.
Outlook prepends the “First Contact Safety Tip” to the body of an HTML email. This means that an attacker can alter the way it is displayed to the victim user by using CSS-style tags.
The proof of concept involved hiding the “First Contact Safety Tip” message in the HTML email. The researchers also could change the background and font colors to white, which would hide the alert from the end user.
...[SNIP]...
In addition, the researchers were also able to spoof the icons that Microsoft Outlook adds to encrypted and /or signed emails. The code below is another proof of concept for spoofing the signed icons.
...[SNIP]...
#mainTable {
width: 100%;
z-index: 1;
margin-bottom: 1em;
}
#signedBy {
font-size: 0.9em;
}
.badge {
width: 2.8em;
text-align: right;
}
| Signed By nimmerrichtermarc@gmail․com |  |
 |
As a matter of fact, the string with “Signed By [email protected]” does not use a regular period (.). Instead, it uses a Unicode character U+2024 alongside which the legitimate images are attached.
The use of this unicode character makes Outlook detect it as an email address and generate an mailto link that is probably different from the original text we attempt to spoof.
However, attentive users are highly likely to notice the difference in formatting. Many users don’t pay much attention to this and will fall victim to phishing attacks.
According to Microsoft’s response, Microsoft has not addressed this behavior for now.
Microsoft’s response to the researchers, dated February 14, 2024, states, “We determined your finding is valid but does not meet our bar for immediate servicing, considering this is mainly applicable for phishing attacks. However, we have still marked your finding for future review as an opportunity to improve our products.”
It is important for all users to pay more attention to phishing emails and look for any change in format or malicious links received in emails. Do not click on unknown links or download any attachments from unknown senders.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide