HomeWinBuzzer NewsMicrosoft 365 Anti-Phishing Measure Compromised by CSS Flaw

Microsoft 365 Anti-Phishing Measure Compromised by CSS Flaw

A vulnerability in Microsoft 365's anti-phishing tool allows attackers to hide warning messages about new senders, increasing the risk of attacks.

-

A security flaw has been identified in Microsoft 365’s anti-phishing tool, potentially putting users at risk of malicious email attacks. The ‘First Contact Safety Tip’ feature in Microsoft Outlook, designed to alert users when receiving emails from new contacts, is impacted.

Mechanism of the Flaw

In Outlook, the ‘First Contact Safety Tip’ feature adds a warning within the email’s HTML body to alert users about new senders. Researchers at Certitude found a way to make this warning disappear using specific CSS rules embedded within the HTML.

By altering the CSS, such as font color and size, background color, and hiding anchor tags, attackers can render the warning message hidden from view, increasing the possibility that users might open harmful emails. Despite the safety tip appearing in the email preview, it vanishes in the email body due to these manipulations.

Spoofing Encrypted Email Indicators

Certitude’s findings also indicate that attackers can fake the icons for encrypted or signed emails in Microsoft Outlook. By adding particular HTML code, emails can falsely appear secure, though differences in formatting may exist, potentially duping less attentive users.

Certitude reported this vulnerability through the Microsoft Researcher Portal. Although Microsoft acknowledged the issue, they mentioned that it does not warrant immediate action and has marked it for future review, noting its relevance to phishing.

Research and Reporting

Researchers William Moody and Wolfgang Ettlinger from Certitude conducted the study. They have not encountered real-world exploitation of this flaw or found a method to exploit HTML to show arbitrary text in emails. Detailed information is available in their report on Certitude’s website.

This vulnerability underscores challenges in securing email communications. The exploit’s success hinges on deceiving at least a few recipients, highlighting the necessity of diligence and continual security updates.

The ‘First Contact Safety Tip’ is a part of the anti-phishing suite within Exchange Online Protection (EOP) and Microsoft Defender for Office 365. Despite this exploit, some CSS rules like display: none and opacity: 0 do not work on the table, but manipulating background and font colors to white effectively hides the alert.

Last Updated on November 7, 2024 3:22 pm CET

SourceCertitude
Luke Jones
Luke Jones
Luke has been writing about Microsoft and the wider tech industry for over 10 years. With a degree in creative and professional writing, Luke looks for the interesting spin when covering AI, Windows, Xbox, and more.

Recent News

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
We would love to hear your opinion! Please comment below.x
()
x
Mastodon