Hackers Using Zero-Width Spaces to Bypass Office 365

A new technique is currently being used in order to bypass a security feature in Microsoft Office 365 called Safe Links. Safe Links was originally developed to protect users from malware and phishing attacks and currently works as part of Microsoft Advanced Threat Protection (ATP) solution that replaces all URL’s in an incoming email with Microsoft-owned secure URL’s. This provides a layer of protection every time a user clicks on a link in an email. Safe Links first sends the user to a Microsoft owned domain, where it checks the original link for anything suspicious. If the original link is suspicious, it warns the user about it, if not, it redirects to the legitimate web page.

However, attackers have been utilizing Zero-Width SPaces (ZWSPs) in order to bypass both Office 365 URL reputation check and Safe Links URL protection features. Zero-width spaces are non-printing Unicode characters that are typically used to enable line wrapping in long words, and most applications treat them as a regular space, even though it is not visible to the eye.

By inserting multiple zero-width spaces within the malicious URL in their phishing emails, it breaks the pattern in a way that Microsoft does not recognize it as a link, therefore, it doesn’t go through the typical URL filtering process. Microsoft has not released a statement regarding this type of attack, and there are no workarounds currently available. This comes down to user awareness and being on the lookout for suspicious links and landing pages that do not match the correct domain.