Check that email carefully — experts warn anti-phishing tools in Microsoft 365 can be easily bypassed

(Image credit: Shutterstock)

Microsoft Outlook users have been warned to take extra care when opening emails from unfamiliar sources following a report claiming its anti-phishing tools can be easily exploited.

A report from Certitude researchers William Moody and Wolfgang Ettlinger has shown how anti-phishing measures in Microsoft 365 can be easily exploited and bypassed, potentially allowing criminals the chance to target victims with malicious emails.

The team says it reported its findings to Microsoft, but the company has chosen to not address it just yet, meaning Outlook users could be at risk.

Anti-phishing flaws

The Certitude team outlined how the flaw lies with the "First Contact Safety Tip" feature in Outlook, a pop-up alert that appears when a user receives an email from an unfamiliar address, taking the form of a message reading “You don’t often get email from xyz@example.com. Learn why this is important”

The alert is appended to the main body of the email, but Certitude warns this means it could be manipulated using Cascading Style Sheets (CSS) embedded within the body of the message itself.

The team found certain HTML rules are able to hide anchor tags to stop the alert from being displayed when a link is included, but also changing the font color to white, and font size to zero, hiding the alert.

A third rule also makes any td element within the tbody of a table have a white background and white text, effectively making the content blend into the background and thus appear invisible.

Enforcing all these CSS rules could therefore mean a phishing email is sent without the alert warning the victim.

At the other end of the spectrum, Certitude also discovered adding more HTML code spoofing the official icons used by Microsoft Outlook on encrypted or signed emails can make a phishing message appear even more secure.

The team says it contacted Microsoft concerning its findings, and received the following statement, "We determined your finding is valid but does not meet our bar for immediate servicing considering this is mainly applicable for phishing attacks. However, we have still marked your finding for future review as an opportunity to improve our products."

More from TechRadar Pro

Python Q&A site StackExchange hijacked to spread malware disguised as answers
Enhance your security with the best endpoint protection tools
Proofpoint email filter flaw exploited to send out millions of phishing messages

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.

Latest

A screenshot of Astro on a DualSense-shaped rocket ship in the game Astro Bot

More cameos have been spotted in Astro Bot's credits as game director confirms free DLC

See more latest ►

Anti-phishing flaws

Are you a pro? Subscribe to our newsletter

More from TechRadar Pro

Most Popular