In an attempt to combat the huge number of malicious URLs sent in emails, a few years ago, Microsoft implemented a technology called Safe Links in their Office 365 suite.
Safe Links works by replacing every URL in an email with one which links to a secure Microsoft owned domain.
When a user clicks the link, the request is sent to the domain which checks to see if the original URL contains any malicious items such as re-directs, malware, XSS, etc.
If the URL is fine, the user visits the site in the link, if the scan uncovers any unusual activity, the user is presented with a warning and the request for the resource in the link is terminated.
As we all know, as soon as a company creates a way to thwart an attacker, the attacker community retaliate with a new approach, and sometimes, these approaches are quite clever in how they work.
Cloud security company Avanan (www.avanan.com) has released information regarding a novel attack that bypasses the URL checking which Safe Links performs, and to the untrained eye, the attack is invisible.
The attack involves the use of non-printable, whitespace characters, also known as Zero-Width Spaces (ZWSPs).
All modern browsers support ZWSPs because they are simply non-printing Unicode values which are normally used to enable line or word wrapping in long words or sentences. Most applications treat the values as a normal space or even ignore them, and this is how the attack works.
The values in question are:
- ​ – Zero-Width Space
- ‌ – Zero-Width Non-Joiner
- ‍ – Zero-Width joiner
- ﻿ – Zero-Width No-Break Space
- ０ – Full-Width Digit Zero
To carry out the attack, a malicious URL is padded out with multiple ZWSPs in such a way as to break the pattern matching which Safe Links conducts to recognise a URL. This way the URL is never caught and replaced with a safe one, so the user simply received to original, malicious URL, ready to click on.
Avanan have published a video on YouTube showing the attack working - www.youtube.com/watch?&v=H5vhe3H7n-w
Microsoft are currently looking at addressing this issue for a future update.
QA offer numerous cyber security related courses that cover phishing attacks and what to look for and how to protect yourself. See our website for more details - cyber.qa.com
Mark AmoryMark Amory has been specialising in cyber security training for 15 years and is the author of several of QA's cyber security courses, as well as the 2017 NCSC CyberFirst Academy.
More articles by Mark
What is a DDos attack? And how can I protect my devices against botnets?
Massive cyber attack on US government and companies underway
Pi-Hole: The DIY ad-blocker & malware defender all in one box
What is ethical hacking?
Mac attack! Apple malware on the rise
How random is random?
Sometimes an attack might be right in front of your eyes!
Who you gonna call?
Denial of Service attack for iOS devices