Posted June 26, 2018
Phishing is by far the biggest security threat to any organization. It’s the most common source of attacks and has been at the root of spectacular cyber incidents like the Sony hack and the Petya ransomware attack. Due to the grave danger that phishing poses, remedies are highly sought after. Lately, companies have turned to machine learning and artificial intelligence, the supposed solutions to all societal problems, to combat phishing.
It’s a seductive proposition: AI-based products promise flawless security – “it’s a machine, it doesn’t make mistakes!” - alongside convenience, since they automate the process. One implementation of this is Microsoft’s Office 365 “Advanced Threat Protection” security, which checks emails for words and phrases that could hint at malicious activity, such as impersonating legitimate companies (e.g. Apple or Microsoft) and sentences asking for payments or password resets.
However, researchers at Avanan revealed on June 19th how hackers can bypass Microsoft’s tool by adding random words to the email body at font size zero (‘ZeroFont’), which will appear to the scanner as unstructured, non-malicious gibberish. To the recipient, the ZeroFont text is invisible, thus creating an entirely different email.
You read that right! A technique used by students to pad their assignment papers is enough to fool a cutting edge algorithm.