Hackers Using Zero-Width Spaces to Bypass MS Office 365 Protection

Safe Links, which were designed to protect users from malware and phishing attacks are now being attacked by email scammers and cybercriminals with a simple technique.  

Safe Links was included in Office 365 as part of Microsoft’s Advanced Threat Protection solution.  Safe Links works by replacing all URLs in an incoming email with Microsoft-owned secure URLs.  

Which means, every time a user clicks on a link provided in an email, Safe Links first sends them to a Microsoft owned domain, where it will check the original link for anything suspicious. If Microsoft’s security scanners detect any malicious element, it then warns the users about it, and if not, it redirects them to the original link.

Researchers at the cloud security company Avanan have revealed how attackers have been bypassing both Office 365’s URL reputation check and Safe Links URL protection features by using Zero-Width SPaces (ZWSPs).

Supported by all modern web browsers, zero-width spaces are non-printing Unicode characters that typically used to enable line wrapping in long words, and most applications treat them as regular space, even though it is not visible to the eye.

Attackers are inserting multiple zero-width spaces in their malicious URLs, which breaks the URL pattern in a way that Microsoft does not recognize as a link.  

This link sends the user to a harvesting phishing website.  

The Z-WASP attack is another chain in a list of exploits, including the baseStriker and ZeroFont attacks, that are designed to confuse Microsoft Office 365 security.

If your company needs assistance securing Office 365 give us a call.

Close Menu