Researchers find flaw in Microsoft 365's anti-phishing feature through CSS style tags
Researchers have uncovered a method to bypass an anti-phishing measure in Microsoft 365, raising concerns about the security of Outlook users. The vulnerability targets the 'First Contact Safety Tip,' a feature designed to alert users when they receive emails from unfamiliar addresses.
William Moody and Wolfgang Ettlinger from Certitude demonstrated that this alert can be hidden using Cascading Style Sheets (CSS) embedded within the email body. By manipulating HTML rules, they can hide anchor tags, change font colors to white, and set font sizes to zero, effectively concealing the alert. Additionally, certain CSS rules can make the content blend into the background, rendering it invisible. The researchers also found that adding more HTML code to spoof official Outlook icons can make phishing emails appear more secure.
Despite reporting their findings to Microsoft, the company has yet to address the issue, leaving users vulnerable. Microsoft acknowledged the problem but stated it doesn't meet their threshold for immediate action, though it is marked for future review. Users are advised to exercise caution when opening emails from unknown sources.
- Word Processor
- Freemium • Proprietary
Related news
External links
- Exploring Anti-Phishing Measures in Microsoft 365Certitude Blog
- Microsoft 365 anti-phishing feature can be bypassed with CSSBleepingComputer
- Check that email carefully — experts warn anti-phishing tools in Microsoft 365 can be easily bypassedTechRadar
- Microsoft 365 Anti-phishing Feature Bypassed Using CSS Style TagsCyber Security News