A new Business Email Compromise (BEC) operation aimed at Microsoft 365 consumers employs a variety of highly developed obfuscation techniques in phishing emails that can trick natural language processing filters and go unnoticed by users.
The operation, called One Font because of the way it conceals text in a one-point font size within mails, was initially spotted in September by cybersecurity researchers at email security firm Avanan.
According to a report issued by the researchers, threat actors are also hiding links within the Cascading Style Sheets (CSS) in their phishing emails.
This is yet another strategy used to baffle natural language filters such as Microsoft’s Natural Language Processing (NLP).
Cybersecurity specialist Jeremy Fuchs stated that the One Font operation also includes messages with links coded within the font> tag, and when combined with the other obfuscation tactics, reduces the potency of email filters that rely on natural language for evaluation.
This breaks semantic analysis, which leads many solutions to treat it as a marketing email, as opposed to phishing. Natural language filters see random text; human readers see what the attackers want them to see.
A Similar Campaign Was Discovered in 2018
In 2018, researchers identified a similar operation