Cybersecurity researchers have identified a method to bypass a critical anti-phishing measure in Microsoft 365 (formerly Office 365), raising concerns over the potential risks users face when opening emails from unfamiliar sources. This discovery highlights a vulnerability in the ‘First Contact Safety Tip’ feature, which is designed to alert users when they receive an email from a new or unknown contact.
The Vulnerability Explained
The ‘First Contact Safety Tip’ is an integral part of Microsoft 365’s security measures. It provides a warning message in Outlook that reads, “You don’t often get email from xyz@example.com. Learn why this is important.” This alert aims to caution users about potential phishing attempts by highlighting emails from new contacts.
However, researchers from Certitude have found a way to manipulate this feature using CSS (Cascading Style Sheets) embedded within the HTML of an email. By exploiting this vulnerability, attackers can effectively hide the warning message, making the phishing email appear legitimate and reducing the chances of the recipient detecting the threat.
How the Bypass Works
The technique involves embedding specific CSS rules within the HTML of the email. Here’s how the rules function to hide the safety tip:
- a { display: none; }: This rule hides any anchor (<a>) tags, ensuring that any links within the warning message are not displayed.
- td div { color: white; font-size: 0px; }: This targets div elements within table data cells, changing their font color to white and their font size to 0, rendering the text invisible.
- table tbody tr td { background-color: white !important; color: white !important; }: This rule changes the background and text color of table cells to white, making the content blend into the background and thus disappear.
By employing these CSS rules, attackers can send phishing emails from new contacts without triggering the safety tip, leaving users unaware of the potential danger.
Enhancing the Deception
Certitude’s researchers didn’t stop at hiding the warning message. They further demonstrated that it’s possible to add additional HTML code to spoof the security icons that Microsoft Outlook uses for encrypted or signed emails. This added layer of deception creates a false sense of security, making the phishing email appear even more authentic.
While the formatting limitations mean that the spoofed icons are not perfect replicas, they are convincing enough to pass casual inspections, increasing the likelihood that recipients will fall for the phishing attempt.
Microsoft’s Response
Upon discovering this vulnerability, Certitude promptly reported their findings to Microsoft through the Microsoft Researcher Portal (MSRC). They provided a detailed report and proof of concept to demonstrate the bypass techniques.
Microsoft acknowledged the validity of the findings but decided not to address the issue immediately. In their response, Microsoft stated:
“We determined your finding is valid but does not meet our bar for immediate servicing considering this is mainly applicable for phishing attacks. However, we have still marked your finding for future review as an opportunity to improve our products.”
This response has raised concerns within the cybersecurity community, as phishing remains one of the most prevalent and effective methods used by cybercriminals to compromise user accounts and gain unauthorized access to sensitive information.
The Implications for Users
The ability to bypass the ‘First Contact Safety Tip’ in Microsoft 365 significantly elevates the risk of successful phishing attacks. Users who rely on this feature to identify potentially dangerous emails are left vulnerable, as the warning message can be completely hidden from view.
This vulnerability underscores the importance of multi-layered security measures and user vigilance. While Microsoft has not yet provided a fix for this issue, users can mitigate the risk by following best practices for email security, such as:
- Verifying email addresses: Always check the sender’s email address carefully, especially if the email contains unexpected attachments or links.
- Hovering over links: Before clicking on any links, hover over them to see the actual URL they will direct you to.
- Enabling additional security features: Utilize other security features available in Microsoft 365 and third-party security tools to provide an extra layer of protection.
Conclusion
The discovery of this CSS-based bypass in Microsoft 365’s anti-phishing feature is a stark reminder of the persistent and evolving nature of cyber threats. While Microsoft has acknowledged the vulnerability, the decision not to immediately address it highlights the challenges in prioritizing security fixes.
For now, users must remain cautious and proactive in their approach to email security, staying informed about potential threats and adopting best practices to safeguard their information. As the cybersecurity landscape continues to evolve, ongoing vigilance and adaptive security measures will be crucial in defending against emerging threats.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Critical Zero-Day Vulnerability in Apache OFBiz ERP Enables Remote Code Execution