Earlier this month, security researchers at Avanan discovered a new zero-width space (ZWSP) vulnerability that was confirmed to have affected Office 365 environments between November 10th, 2018 until January 9th, 2019. ZWSP strings are non-printing Unicode characters normally used to do benign things, such as for enabling line wrapping in long words. However, with this vulnerability attackers used ZWSP strings such as to break up malicious URLs in order to avoid detection by security measures. In the case of Office 365, this technique allowed malicious URLs to completely bypass the security checks of both Office 365 EOP and Office 365 ATP.
Normally, Office 365 security checks would have successfully examined and detected a malicious URL string sent to a user via email. Subsequently, any user clicking a malicious embedded link would be redirected to a red Microsoft security splash page alerting the user to the potential risks of proceeding to the associated webpage. However, by using the ZWSP vulnerability a user would be able to open the raw HTML of an email and then modify a malicious URL such as “www.verybadstuff.com” to become “www.verybadstuff.com”, completely bypassing the Office 365 security checks.
While this vulnerability has since been fixed by Microsoft, Avanan reported over 90% of their client base had been hit with attempted phishing emails that utilized this vulnerability. Moving forward we expect to see similar vulnerabilities to bypass security filters for URLs. Nonetheless, we were impressed with the relative ease of executing this particular vulnerability. Below we have listed some steps to help safeguard your users.
Proficio Threat Intelligence Recommendations:
- Regularly conduct phishing awareness training.
- Perform checks for this vulnerability when performing internal audits.
- Ensure Microsoft systems have been updated with the latest patches.
Avanan Security Blog – Click Here
Vulnerability Demo Video – Click Here
