The Invisible Attack

In an attempt to combat the huge number of malicious URLs sent in emails, a few years ago, Microsoft implemented a technology called Safe Links in their Office 365 suite.

Safe Links works by replacing every URL in an email with one which links to a secure Microsoft owned domain.

When a user clicks the link, the request is sent to the domain which checks to see if the original URL contains any malicious items such as re-directs, malware, XSS, etc.

If the URL is fine, the user visits the site in the link, if the scan uncovers any unusual activity, the user is presented with a warning and the request for the resource in the link is terminated.

As we all know, as soon as a company creates a way to thwart an attacker, the attacker community retaliate with a new approach, and sometimes, these approaches are quite clever in how they work.

Cloud security company Avanan (www.avanan.com) has released information regarding a novel attack that bypasses the URL checking which Safe Links performs, and to the untrained eye, the attack is invisible.

The attack involves the use of non-printable, whitespace characters, also known as Zero-Width Spaces (ZWSPs).

All modern browsers support ZWSPs because they are simply non-printing Unicode values which are normally used to enable line or word wrapping in long words or sentences. Most applications treat the values as a normal space or even ignore them, and this is how the attack works.

The values in question are:

&#8203 – Zero-Width Space
&#8204 – Zero-Width Non-Joiner
&#8205 – Zero-Width joiner
&#65279 – Zero-Width No-Break Space
&#65296 – Full-Width Digit Zero

To carry out the attack, a malicious URL is padded out with multiple ZWSPs in such a way as to break the pattern matching which Safe Links conducts to recognise a URL. This way the URL is never caught and replaced with a safe one, so the user simply received to original, malicious URL, ready to click on.

Avanan have published a video on YouTube showing the attack working - www.youtube.com/watch?&v=H5vhe3H7n-w

Microsoft are currently looking at addressing this issue for a future update.

QA offer numerous cyber security related courses that cover phishing attacks and what to look for and how to protect yourself. See our website for more details - cyber.qa.com

Previous article Why email phishing persists? Next article Cyber Security Loopholes

Mark Amory

Mark Amory has been specialising in cyber security training for 15 years and is the author of several of QA's cyber security courses, as well as the 2017 NCSC CyberFirst Academy.

Visit my page