Check your email carefully: Experts warn that anti-phishing tools in Microsoft 365 can be easily bypassed
Microsoft Outlook users have been warned to be extra careful when opening emails from unknown sources, after a report emerged stating that Microsoft Outlook’s anti-phishing tools can be easily exploited.
a report Certitude researchers William Moody and Wolfgang Ettlinger have demonstrated how anti-phishing measures in Microsoft 365 can be easily abused and bypassed, potentially giving criminals the opportunity to target victims with malicious emails.
The team says it has reported its findings to Microsoft, but the company has chosen not to address the issue yet, meaning Outlook users could be at risk.
Anti-phishing mistakes
The Certitude team outlined how the issue lies with the “First Contact Safety Tip” feature in Outlook, a pop-up warning that appears when a user receives an email from an unknown address, in the form of a message that reads “You don’t often receive email from xyz@example.com. Learn why this is important.”
The warning is added to the body of the email, but Certitude warns that this means the warning can be manipulated using Cascading Style Sheets (CSS) included in the body of the message itself.
The team found that certain HTML rules can hide anchor tags so that the warning doesn’t appear when a link is added. They can also change the font color to white and the font size to zero, which will hide the warning.
A third rule ensures that each td element in the tbody of a table has a white background and white text, effectively making the content blend into the background and thus appear invisible.
If all of these CSS rules are enforced, a phishing email may be sent without the victim being notified.
On the other end of the spectrum, Certitude also found that adding more HTML code that mimics official Microsoft Outlook icons within encrypted or signed emails can make a phishing message appear even more secure.
The team says it contacted Microsoft about its findings and received the following statement: “We have determined that your finding is valid, but does not meet our bar for immediate service as it primarily applies to phishing attacks. However, we have still flagged your finding for future review as an opportunity to improve our products.”