The Invisible Attack
In an attempt to combat the huge number of malicious URLs sent in emails, a few years ago, Microsoft implemented a technology called Safe Links in their Office 365 suite.
Safe Links works by replacing every URL in an email with one which links to a secure Microsoft owned domain.
When a user clicks the link, the request is sent to the domain which checks to see if the original URL contains any malicious items such as re-directs, malware, XSS, etc.
If the URL is fine, the user visits the site in the link, if the scan uncovers any unusual activity, the user is presented with a warning and the request for the resource in the link is terminated.
As we all know, as soon as a company creates a way to thwart an attacker, the attacker community retaliate with a new approach, and sometimes, these approaches are quite clever in how they work.
Cloud security company Avanan (www.avanan.com) has released information regarding a novel attack that bypasses the URL checking which Safe Links performs, and to the untrained eye, the attack is invisible.
The attack involves the use of non-printable, whitespace characters, also known as Zero-Width Spaces (ZWSPs).
All modern browsers support ZWSPs because they are simply non-printing Unicode values which are normally used to enable line or word wrapping in long words or sentences. Most applications treat the values as a normal space or even ignore them, and this is how the attack works.
The values in question are:
- ​ – Zero-Width Space
- ‌ – Zero-Width Non-Joiner
- ‍ – Zero-Width joiner
-  – Zero-Width No-Break Space
- 0 – Full-Width Digit Zero
To carry out the attack, a malicious URL is padded out with multiple ZWSPs in such a way as to break the pattern matching which Safe Links conducts to recognize a URL. This way the URL is never caught and replaced with a safe one, so the user simply received to original, malicious URL, ready to click on.
Avanan have published a video on YouTube showing the attack working - www.youtube.com/watch?&v=H5vhe3H7n-w
Microsoft are currently looking at addressing this issue for a future update.
QA offer numerous cyber security related courses that cover phishing attacks and what to look for and how to protect yourself. See our website for more details - cyber.qa.com
