Small CSS tweaks can help nasty emails slip through Outlook's anti-phishing net

Researchers say cybercriminals can have fun bypassing one of Microsoft's anti-phishing measures in Outlook with some simple CSS tweaks.

William Moody, IT security consultant at Certitude, blogged today about how First Contact Safety Tip – a banner displayed in Outlook when a user receives a message from an address that typically doesn't contact them – can be hidden (mostly) using CSS style tags.

Because the First Contact Safety Tip is added to the HTML code of an email before the message content, all a phisher would have to do is craft an email solely in HTML, changing the banner's background and font both to white, and voila, the banner still exists but is no longer visible.

Moody said: "Although applying some more common CSS rules such as display: none, height: 0px, and opacity: 0 to the table itself doesn't seem to work, either due to the inline CSS in the elements or due to lack of support by the rendering engine Outlook uses, it is possible to change the background and font colors to white so that the alert is effectively invisible when rendered to the end user viewing the email."

The only drawback to this one is that the email preview displayed in the left-side pane in Outlook will still display the First Contact Safety Tip message in small, grey text under the email body preview.

That said, the preview is small and will likely be truncated on most display setups, making it easy to miss to those unaware of the message and working too quickly to pay attention.

As an added layer of perceived legitimacy to a potential phishing email, the same method can be applied to add a seemingly legitimate note to show the message was encrypted or signed.

Again, there are a few caveats to this. It's not a like-for-like spoof – the formatting will look different to more attentive or experienced Outlook users and it takes a little tweaking to achieve a halfway convincing end result.

• Users call on Microsoft to update Outlook's friendly name feature
• New Outlook set for GA despite missing some key features
• Police take just 2 days to recover $40M stolen in business email scam
• Microsoft punches back at Delta Air Lines and its legal threats

For example, let's say we wanted to add a note to an email that said: "Signed by c.jones@elreg.com" – you would have to replace the period in the email address with the Unicode character U+2024 to prevent a mailto link from being generated, which would diverge from what's normally displayed.

However, as Moody noted: "It only takes one person to fall for the phishing attack for an adversary to gain a foothold in the organization."

The researchers, Moody and Wolfgang Ettlinger, informed Microsoft about this in February but their findings aren't going to be addressed in the short term.

"We determined your finding is valid but does not meet our bar for immediate servicing considering this is mainly applicable for phishing attacks," Microsoft told the pair. 

"However, we have still marked your finding for future review as an opportunity to improve our products." ®