Cyber Security training from QA

The Invisible Attack

QA Cyber Training Delivery Manager, Mark Amory, looks at the technology Microsoft is implementing in an attempt to combat the huge number of malicious URLs sent in emails.


Mark Amory | 12 February 2019

In an attempt to combat the huge number of malicious URLs sent in emails, a few years ago, Microsoft implemented a technology called Safe Links in their Office 365 suite.

Safe Links works by replacing every URL in an email with one which links to a secure Microsoft owned domain.

When a user clicks the link, the request is sent to the domain which checks to see if the original URL contains any malicious items such as re-directs, malware, XSS, etc.

If the URL is fine, the user visits the site in the link, if the scan uncovers any unusual activity, the user is presented with a warning and the request for the resource in the link is terminated.

As we all know, as soon as a company creates a way to thwart an attacker, the attacker community retaliate with a new approach, and sometimes, these approaches are quite clever in how they work.

Cloud security company Avanan (www.avanan.com) has released information regarding a novel attack that bypasses the URL checking which Safe Links performs, and to the untrained eye, the attack is invisible.

The attack involves the use of non-printable, whitespace characters, also known as Zero-Width Spaces (ZWSPs).

All modern browsers support ZWSPs because they are simply non-printing Unicode values which are normally used to enable line or word wrapping in long words or sentences. Most applications treat the values as a normal space or even ignore them, and this is how the attack works.

The values in question are:

  • &#8203 – Zero-Width Space
  • &#8204 – Zero-Width Non-Joiner
  • &#8205 – Zero-Width joiner
  • &#65279 – Zero-Width No-Break Space
  • &#65296 – Full-Width Digit Zero

 

To carry out the attack, a malicious URL is padded out with multiple ZWSPs in such a way as to break the pattern matching which Safe Links conducts to recognise a URL. This way the URL is never caught and replaced with a safe one, so the user simply received to original, malicious URL, ready to click on.

Avanan have published a video on YouTube showing the attack working - www.youtube.com/watch?&v=H5vhe3H7n-w

Microsoft are currently looking at addressing this issue for a future update.

QA offer numerous cyber security related courses that cover phishing attacks and what to look for and how to protect yourself. See our website for more details - cyber.qa.com

 

Mark-Amory

Mark Amory

Cyber Training Delivery Manager

After leaving a career as a Mechanical and Electrical Engineer in 1998, Mark started out with a fresh career as an IT trainer. Spending the first few years as an applications trainer, Mark excelled in delivering Microsoft Office and Adobe products. In-line with his background as an Engineer, Mark soon shifted focus to more technical deliveries, including hardware and networking topics; a field he has remained in ever since. As a natural progression of his career saw Mark start to explore the security aspect of his existing competencies and since 2005 has specialised in the Cyber Security domain. Mark has been the author of a number of QA Cyber Security courses and was the design authority and author of the 2017 NCSC Cyber First Academy. Mark is a C|EH and is currently undergoing the process of becoming an NCSC Certified Cyber Professional.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.