Hackers Trick Outlook Into Showing Fake AV Scans

Researchers spot attackers using an existing phishing obfuscation tactic in order to better ensure recipients fall for their scam.

Threat actors are employing an existing technique of
zero-point font obfuscation
in a new way to fool Microsoft Outlook users into believing phishing emails have successfully been vetted by antivirus scans.
The technique could improve the likelihood that phishing emails will slip past not only security protections, but also trick recipients into falling for scams.
SANS Internet Storm Center analyst Jan Kopriva came across a phishing email that used text written in a font with zero-pixel size — an obfuscation technique first documented
by researchers at Avanan
, a Check Point company, in 2018 and dubbed ZeroFont Phishing — being used in quite a novel way, he wrote.
Attackers have long embedded text with zero font size in phishing emails to break up text written in a normal, visible way to make it harder for
automated email scanning systems
like the one used by Outlook to detect suspicious messages. However, the ZeroFont technique observed by Kopriva had an altogether different intent.
It wasnt intended to hinder automated scanners from identifying the message as potentially fraudulent/malicious, but instead to make the message appear more trustworthy to the recipient, he wrote in his post.
The technique alters the text that typically would be shown in the listing pane of Outlook — which appears to the left, adjacent to the body of messages and gives users clues to whats in the message, explained Kopriva, also with Czech Republics Nettles Consulting.
Rather than display merely the usual email subject line and beginning of the message text that may have alerted the user to a phishing scam, the text in the listing pane displayed the subject line — and then another line of text indicating that the message had been scanned and secured by a threat protection service.
Embedding tiny-sized text in the zero- or one-point font range — another technique discovered by Avanan dubbed
One Font
— is one of many ways threat actors have devised to create more evasively sophisticated phishing scams. The tiny font size breaks email-scanning techniques that depend on semantic analysis, confusing the system while email recipients dont detect the text because its too small to read.
In the phishing email that Kopriva observed, attackers cleverly included text indicating the verification of the message — that is, Scanned and secured by Isc®Advanced Threat protection (APT): 9/22/2023T6:42 AM — in zero font size before the text of the message, he said.
This created a scenario in which text that appears to confirm the message as secure was visible to the user in the messages listing pane in Outlook — below the message subject line rather than the actual first line of the phishing email message, which is displayed on the right-hand side of the screen in the user interface.
The technique demonstrates attackers abusing a characteristic of how Outlook displays email-message text, Kopriva explained.
It seems that
Outlook
(and likely other [mail user agents]) displays any text which is present at the beginning of a message in the listing view, even if it has zero font size, which can unfortunately be (mis)used, he wrote.
Kopriva acknowledged that its possible the tactic already has been used in the wild for some time.
It is, in any case, one more small addition to the
threat actor toolbox
which may be used to create more effective phishing campaigns, and it is therefore certainly good for us — as defenders — to be aware of it, Kopriva added.
Since the technique is already in practice by attackers, organizations conducting phishing-oriented security awareness courses should inform employees about the technique so they
can easily spot
any fraudulent messages that use it as a means of anti-detection, Kopriva added.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Hackers Trick Outlook Into Showing Fake AV Scans