In an attempt to combat the huge number of malicious URLs sent in emails, a few years ago, Microsoft implemented a technology called Safe Links in their Office 365 suite.

Safe Links works by replacing every URL in an email with one which links to a secure Microsoft owned domain.

When a user clicks the link, the request is sent to the domain which checks to see if the original URL contains any malicious items such as re-directs, malware, XSS, etc.

If the URL is fine, the user visits the site in the link, if the scan uncovers any unusual activity, the user is presented with a warning and the request for the resource in the link is terminated.

As we all know, as soon as a company creates a way to thwart an attacker, the attacker community retaliate with a new approach, and sometimes, these approaches are quite clever in how they work.

Cloud security company Avanan (www.avanan.com) has released information regarding a novel attack that bypasses the URL checking which Safe Links performs, and to the untrained eye, the attack is invisible.

The attack involves the use of non-printable, whitespace characters, also known as Zero-Width Spaces (ZWSPs).

All modern browsers support ZWSPs because they are simply non-printing Unicode values which are normally used to enable line or word wrapping in long words or sentences. Most applications treat the values as a normal space or even ignore them, and this is how the attack works.

The values in question are:

  • &#8203 – Zero-Width Space
  • &#8204 – Zero-Width Non-Joiner
  • &#8205 – Zero-Width joiner
  • &#65279 – Zero-Width No-Break Space
  • &#65296 – Full-Width Digit Zero

 

To carry out the attack, a malicious URL is padded out with multiple ZWSPs in such a way as to break the pattern matching which Safe Links conducts to recognise a URL. This way the URL is never caught and replaced with a safe one, so the user simply received to original, malicious URL, ready to click on.

Avanan have published a video on YouTube showing the attack working - www.youtube.com/watch?&v=H5vhe3H7n-w

Microsoft are currently looking at addressing this issue for a future update.

QA offer numerous cyber security related courses that cover phishing attacks and what to look for and how to protect yourself. See our website for more details - cyber.qa.com

Comments

Be the first to comment!

Add a comment