In an attempt to combat the huge number of malicious URLs sent in emails, a few years ago, Microsoft implemented a technology called Safe Links in their Office 365 suite.
Safe Links works by replacing every URL in an email with one which links to a secure Microsoft owned domain.
When a user clicks the link, the request is sent to the domain which checks to see if the original URL contains any malicious items such as re-directs, malware, XSS, etc.
If the URL is fine, the user visits the site in the link, if the scan uncovers any unusual activity, the user is presented with a warning and the request for the resource in the link is terminated.
As we all know, as soon as a company creates a way to thwart an attacker, the attacker community retaliate with a new approach, and sometimes, these approaches are quite clever in how they work.
Cloud security company Avanan (www.avanan.com) has released information regarding a novel attack that bypasses the URL checking which Safe Links performs, and to the untrained eye, the attack is invisible.
The attack involves the use of non-printable, whitespace characters, also known as Zero-Width Spaces (ZWSPs).
All modern browsers support ZWSPs because they are simply non-printing Unicode values which are normally used to enable line or word wrapping in long words or sentences. Most applications treat the values as a normal space or even ignore them, and this is how the attack works.
The values in question are:
- ​ – Zero-Width Space
- ‌ – Zero-Width Non-Joiner
- ‍ – Zero-Width joiner
- ﻿ – Zero-Width No-Break Space
- ０ – Full-Width Digit Zero
To carry out the attack, a malicious URL is padded out with multiple ZWSPs in such a way as to break the pattern matching which Safe Links conducts to recognise a URL. This way the URL is never caught and replaced with a safe one, so the user simply received to original, malicious URL, ready to click on.
Avanan have published a video on YouTube showing the attack working - www.youtube.com/watch?&v=H5vhe3H7n-w
Microsoft are currently looking at addressing this issue for a future update.
QA offer numerous cyber security related courses that cover phishing attacks and what to look for and how to protect yourself. See our website for more details - cyber.qa.com
After leaving a career as a Mechanical and Electrical Engineer in 1998, Mark started out with a fresh career as an IT trainer. Spending the first few years as an applications trainer, Mark excelled in delivering Microsoft Office and Adobe products. In-line with his background as an Engineer, Mark soon shifted focus to more technical deliveries, including hardware and networking topics; a field he has remained in ever since. As a natural progression of his career saw Mark start to explore the security aspect of his existing competencies and since 2005 has specialised in the Cyber Security domain. Mark has been the author of a number of QA Cyber Security courses and was the design authority and author of the 2017 NCSC Cyber First Academy. Mark is a C|EH and is currently undergoing the process of becoming an NCSC Certified Cyber Professional.
More articles by Mark
Mac attack! Apple malware on the rise
How random is random?
Sometimes an attack might be right in front of your eyes!
Who you gonna call?
Denial of Service attack for iOS devices
Safer Internet Day 2019