Select Page

Have you recently received an email that includes tiny font?

Security researchers at Avanan, a part of the CheckPoint Security family, discovered recently the One Font phishing email campaign targeting commercial emails.

Such emails used a novel technique to bypass automated protection filters.

Do you want to know how to identify this threat?

Keep reading.


More Details About the One Font Phishing Campaign 

Avanan recorded campaign activity in September 2021. This particular effort attempted to compromise Microsoft 365 user accounts and used multiple methods to obfuscate malicious components of messages.

The campaign was named OnePoint by the security team because it hides text strings in the body of emails, using a font that is rendered as a single pixel per letter on the screen, making it virtually invisible.

Another obfuscation tactic used in phishing emails included nesting malicious links within the emails’ CSS component. 

According to this report published online, the purpose of using this type of nesting and obfuscation is that it managed to confuse natural language filters, such as Microsoft’s NLP or “natural language processing” technology.

Malicious links are also embedded within the HTML source tags of the phishing campaign in the emails. This also serves to mask malicious content and confuse automated filters.

The company that spotted this September 2021 campaign also spotted a similar one three years ago (in 2018), when bad actors used zero-size fonts that never appear on the user’s screen, not even as a single row of pixels. This fooled email scanners that depended on natural language processing to identify malicious content.

Researchers recommend that organizations opt for a multi-tiered security solution. Such a solution should combine advanced artificial intelligence and machine learning, and include static layers, like domain and sender reputation screens. 


How to Avoid the One Font Phishing Campaign

Implementing a security architecture that focuses on multiple factors in identifying and blocking malicious emails can help mitigate attacks. In addition, corporate users are encouraged to confirm content validity with an IT department ahead of clicking on questionable messages.

The hook used in OnePoint’s phishing campaign is a fake “your password is about to expire” message. The victim is then lured into entering her credentials into fake login forms that simply funnel the login data strings entered to the bad actors’ servers.

As an additional defense against similar attacks that use novel obfuscation techniques, security researchers recommend using a secondary machine-learning artificial intelligence security layer added on top of any natural language filters.

Are you prepared for phishing, smishing, vishing, and other types of threats like these?

Don’t worry if you don’t… Because you’re not alone.

And that’s good news. Our team of experts has identified a common pattern of cybersecurity threats and we are protecting our customers from most of what’s out there.

We invite you to talk and get your questions answered!

This will close in 0 seconds