Skip to content

ZeroFont is another way to bypass Office 365's email security

Another long-standing hackers trick still works with Microsoft’s much hyped Office 365 email security.  ZeroFont is a simple way to hide text that might trigger a security alert.

Source: GIF animation from Avanan

Office 365 has been an increasing target for hackers, especially as more people and organizations sign-up for the Microsoft hosted service.

Avanan is reporting that Microsoft’s ‘natural language processing’ of incoming emails can be fooled by a high school kid after a few ‘Web Design 101’ classes.

It’s deeply worrying that Microsoft, for all it’s talk about security, isn’t guarding customers against common hackers tricks that have been around for years.  In May we told you about BaseStriker which is simple to do and easy to check for, yet Microsoft’s Office 365 wasn’t doing this basic security test.

Like BaseStriker, ZeroFont is easy for anyone how has done a basic HTML class.

What it means

It’s just another example of why it’s important to discount the hype and assurances about computer security services.  Use your own commonsense and by wary of all incoming emails.

Since Microsoft effectively disabled the Junk-Email filter in Outlook for Windows, it’s vital that the spam and virus checks done at your mail host are effective.

How ZeroFont works

One email security check is to look for differences between the From address of an email and key text in the message.

For example, an email that says ‘Copyright 2018 Ford Motor Company’ isn’t likely to be real if it comes from an or address.

Hackers look for a way to fool the security software into seeing text differently to what humans see.  That’s where the old ZeroFont hackers trick comes in.

It’s as simple as formatting some text with a width of zero to hide trigger words.

Micro<span style="font-size: 0px">whatevermisleadingtextyouwant</span>soft

Humans would see the word ‘Microsoft‘ but their email security software sees ‘Microwhatevermisleadingtextyouwantsoft‘.

Not all software falls for the ZeroFont trick. Google’s web search ignores such hacks and Microsoft’s own Sharepoint Designer disregards ‘0pt’ font sizes to display the text in full.

From Microsoft Office SharePoint Designer

About this author

Office Watch is the independent source of Microsoft Office news, tips and help since 1996. Don't miss our famous free newsletter.