ZeroFont: How This Vulnerability Slips Past Google and Microsoft Filters


Share on facebook
Share on twitter
Share on linkedin

You may not realise it, but your email does a great job at filtering out scams for you. By using filters that search for certain markers, the vast majority of phishing emails get marked as spam and you never see them.

This filtering does a great job of protecting users, especially those who haven’t had much anti-phishing training. Someone can’t get tricked by a phishing email if they never receive it, can they?

Hackers aren’t fans of these pesky filters, and they are always trying to find new ways to get around them. After all, these filters are seriously limiting their ability to make money through scams.

There are a range of techniques that they use to try and beat the filters, but one that we’ve seen pop up more frequently this year is called ZeroFont. It’s an old technique, but it’s proven itself particularly adept at fooling Microsoft Office 365’s filters.

How Does ZeroFont Work?

Microsoft uses natural language processing as part of its defence against spam. It searches through emails for any signs of fraud or deception, analysing the context of the email body alongside the entity that sent it. It carefully scrutinises emails that ask for passwords to be reset, bank details to be entered, or other major changes, in order to verify whether an email is in fact legitimate.

If you receive an email that says Copyright Facebook Inc. at the bottom, but it hasn’t been sent through Facebook’s legitimate channels, the natural processing filter will think something dodgy is going on and mark the email as a scam, keeping it from entering the inbox.

These days, natural language processing is pretty effective, which has driven attackers to find creative ways of getting around it. With ZeroFont, they use an old trick to make Microsoft’s filters see something different to what the user will see. They take something like Copyright Facebook Inc., and throw in a bunch of letters set at size zero amongst them.

By doing this, Microsoft’s filters will read something like:

Copyjhdfkljhalds rightlkqwehFace kjaslk bookieuw rioy Incmwe.

You will see this:

Copyright Facebook Inc.

The above sentence might not raise any alarm bells for the filter, so it lets the email go through to the recipient’s inbox. When the recipient opens the email, they can’t see all of the size zero letters that the filter can, and instead they see Copyright Facebook Inc.

Attackers create entire emails using this technique, splitting up their phishing email with size zero text to trick the filters. By doing this, something as blatant as the following might be able to get through:

Hello friend,

I am a Nigerian Prince and I need your help. I have $10 million, but I am having difficulty getting it out of my country. If you will please help me by sending $5000 to account no. 9874317749, I will be able to get the money out of my country. For your help, I will happily reward you with $1 million for being such a good person.

With all of the size zero font, Microsoft’s filters will be reading something completely different. Even though they are well tuned to look for scams in normal text, when it is broken up with other characters, the job becomes much more challenging and phishing emails manage to slip past.

Protecting Your Business

Your filters are great at removing most phishing emails, but techniques such as ZeroFont can still be used to get some through. That’s why it’s important for all of your staff to have comprehensive cyber security training. This training can help your employees identify common attacks like phishing and show them the best practices to follow. Contact Gridware to make sure your employees know how to keep safe from phishing.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.