Threat actors who send out phishing messages have long ago learned that zero-width characters and unrendered HTML entities can be quite useful to them. Inserting a zero-width character into a hyperlink can be used to bypass some URL security checks without any negative impact on the function of the link, while any unrendered entities can be used to break up any suspicious words or sentences that might lead to the message being classified as a potential phishing, without the recipient being aware of their inclusion.

One of the better-known techniques that depend on the use of zero-width characters (e.g., a Zero-Width Space – ​ a Zero-Width Non-Joiner – ‌ a Zero-Width Joiner – ‍ etc.)  was named Z-WASP by the researchers in Avanan who first discovered it being used to bypass O365 security filters in 2018 [1]. Nevertheless, the aforementioned practice of using “invisible” characters in phishing messages is far older – for example, the soft hyphen or “SHY” html entity (­) has been used by threat actors at least since 2010[2].

Both of these techniques are relevant to the topic of today’s diary – an interesting phishing message that arrived in our hander mailbox late last week.

At first glance, it looked like any other run of the mill phishing message (apart from the use of an unusually small font and a somewhat difficult to see red spot under the “KEEP MY PASSWORD” link)…

However, a look at the underlaying HTML code proved to be quite interesting. As the following (somewhat cleaned-up) excerpt shows, authors of the message decided to use both of the aforementioned techniques to break up the message text – the zero-width joiners (‍) were used in the title, while the SHY HTML entity (­) was used everywhere else…

Although this “shy z-wasp” combination has most likely been used before, it is certainly unusual – if nothing else, it is the first time I’ve ever noticed these two techniques being used in the same e-mail… And it goes to show that even quite old techniques (speaking of the use of SHY entity) are not necessarily irrelevant.

Regardless of the use of the unrendered characters, in this instance, it is obvious at first glance that the message is not legitimate. However, this might not be the case with some other messages in which threat actors might decide to use the same techniques… Which leaves us with a question of whether there is anything we can do to increase chances of detecting such messages on a human level, should the use of "invisible" characters lead to them bypassing any e-mail security filters we might have in place.

While we certainly can’t teach non-technical recipients to read HTML code of e-mail messages, and look for hidden characters, for those who use Outlook, we can do the next best thing – we can teach them to look at a message without HTML formatting. This can be done surprisingly easily – all one has to do is move the message into the Junk folder (if such a folder or its regional equivalent exits/is configured), and Outlook will remove most formatting and also display targets of any links in-line with the text they are related to…

This might not always lead to a “this is obviously malicious” conclusion on the part of the recipient, but it is quick and, in some cases (as in this one), can certainly show that something is amiss with an otherwise trustworthy looking message.

So, if you work at a company which makes use of Microsoft’s e-mail client, and you are responsible for security awareness building, teaching users to drag-and-drop any message they are unsure of into the Junk folder might be advisable… Especially if you don’t have a security operations team who could analyze suspicious messages submitted by employees on a continuous basis.

[1] https://emailsecurity.checkpoint.com/blog/zwasp-microsoft-office-365-phishing-vulnerability
[2] https://threatpost.com/spammers-using-shy-character-hide-malicious-urls-100710/74558/

-----------
Jan Kopriva
LinkedIn
Nettles Consulting