While Microsoft 365 (formerly Office 365) has implemented various anti-phishing measures to protect its users, researchers have found a bypass for the First Contact Safety Tip feature within the application.
The researchers demonstrated how these safeguards can be circumvented by determined attackers with sufficient knowledge of CSS.
Manipulating Microsoft 365 Anti-Phishing First Contact Safety Tip
One of the key anti-phishing features in Microsoft 365 is the First Contact Safety Tip, which alerts users when they receive an email from an address they don’t typically communicate with. However, researchers have discovered a way to bypass this measure by manipulating the email’s HTML code.
The vulnerability lies in the fact that the safety tip can be hidden from the user by altering the HTML code of the email using CSS style tags. This can be done by changing the background and font colors to white, effectively rendering the safety tip invisible to the user.
By using strategic CSS styling, researchers from Certitude were able to effectively “hide” the First Contact Safety Tip from the email’s recipient. This was achieved by changing the background and font colors to white, effectively rendering the alert invisible to the user.
Building upon their findings, the researchers took their exploration of Microsoft 365‘s anti-phishing defenses a step further. They were able to spoof the icons that Outlook uses to allow users to recognize emails that are encrypted and/or signed, potentially deceiving even more attentive users due to the level of similarity.
Responsible Disclosure and Microsoft’s Response
After developing their proof of concept and preparing an advisory, the researchers responsibly disclosed the issues to Microsoft through the Microsoft Researcher Portal (MSRC). While Microsoft acknowledged the validity of the findings, they chose not to address the vulnerabilities immediately, citing that the issues were “mainly applicable for phishing attacks” and that they would be marked for future review as an opportunity to improve their products.
We determined your finding is valid but does not meet our bar for immediate servicing considering this is mainly applicable for phishing attacks. However, we have still marked your finding for future review as an opportunity to improve our products. – Microsoft MSRC, 14.02.2024
The discovery of the First Contact Safety Tip bypass vulnerability serves as a fine example that that no security system is foolproof, and users should always take adequate precaution against phishing attacks.
Anti-phishing measures at the individual/employee level can include maintaining caution against emails from unfamiliar senders, checking for unusual formatting or spelling mistakes, and verifying the authenticity of emails before taking any action.
At the organizational level, security teams for enterprises that rely on Microsoft 365 can consider implementing additional security measures to complement existing anti-phishing features.