In an attempt to combat the huge number of malicious URLs sent in emails, a few years ago, Microsoft implemented a technology called Safe Links in their Office 365 suite.
Safe Links works by replacing every URL in an email with one which links to a secure Microsoft owned domain.
When a user clicks the link, the request is sent to the domain which checks to see if the original URL contains any malicious items such as re-directs, malware, XSS, etc.
If the URL is fine, the user visits the site in the link, if the scan uncovers any unusual activity, the user is presented with a warning and the request for the resource in the link is terminated.
As we all know, as soon as a company creates a way to thwart an attacker, the attacker community retaliate with a new approach, and sometimes, these approaches are quite clever in how they work.
Cloud security company Avanan (www.avanan.com) has released information regarding a novel attack that bypasses the URL checking which Safe Links performs, and to the untrained eye, the attack is invisible.
The attack involves the use of non-printable, whitespace characters, also known as Zero-Width Spaces (ZWSPs).
All modern browsers support ZWSPs because they are simply non-printing Unicode values which are normally used to enable line or word wrapping in long words or sentences. Most applications treat the values as a normal space or even ignore them, and this is how the attack works.
The values in question are:
- ​ – Zero-Width Space
- ‌ – Zero-Width Non-Joiner
- ‍ – Zero-Width joiner
- ﻿ – Zero-Width No-Break Space
- ０ – Full-Width Digit Zero
To carry out the attack, a malicious URL is padded out with multiple ZWSPs in such a way as to break the pattern matching which Safe Links conducts to recognise a URL. This way the URL is never caught and replaced with a safe one, so the user simply received to original, malicious URL, ready to click on.
Avanan have published a video on YouTube showing the attack working - www.youtube.com/watch?&v=H5vhe3H7n-w
Microsoft are currently looking at addressing this issue for a future update.
QA offer numerous cyber security related courses that cover phishing attacks and what to look for and how to protect yourself. See our website for more details - cyber.qa.com
Mark AmoryMark Amory has been specialising in cyber security training for 15 years and is the author of several of QA's cyber security courses, as well as the 2017 NCSC CyberFirst Academy.
More articles by Mark
What is a DDos attack? And how can I protect my devices against botnets?
Mark Amory, QA Cyber Security Training Delivery Manager, explains exactly what a DDoS attack is, how botnets can use compromi…10 March 2021
Massive cyber attack on US government and companies underway
Mark Amory, Cyber Security Technical Learning Consultant at QA, reports on a major cyber incident unfolding this weekend agai…14 December 2020
Pi-Hole: The DIY ad-blocker & malware defender all in one box
Mark Amory explains the Pi-Hole DNS proxy that provides a nearly ad-free web surfing experience.09 December 2020
What is ethical hacking?
Mark Amory explains what ethical hacking is and why it's important that every company uses pentesting to safeguard their IT s…06 October 2020
Mac attack! Apple malware on the rise
QA Cyber Training Delivery Manager, Mark Amory, explains that while Mac users used to be relatively safe from viruses and mal…19 February 2020
How random is random?
How random something is relies on more than just thinking of a number, it relies on a multitude of tiny, imperceptible variab…15 November 2017
Sometimes an attack might be right in front of your eyes!
QA Cyber Training Delivery Manager, Mark Amory, discusses a new exploit in X.509 certificates that allows malicious code to b…14 March 2018
QA Cyber Training Delivery Manager, Mark Amory, discusses how GDPR regulations can make data breaches a valuable weapon to da…19 September 2018
Who you gonna call?
QA Cyber Training Delivery Manager, Mark Amory, looks at the behind-the-scenes organisations working tirelessly to help stop…20 November 2018
Denial of Service attack for iOS devices
QA Cyber Training Delivery Manager, Mark Amory, looks at a new raft of Denial of Service attacks that use little more than a…27 November 2018