Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Mike Moore

Check that email carefully — experts warn anti-phishing tools in Microsoft 365 can be easily bypassed

Shutterstock.com / kanlaya wanon.

Microsoft Outlook users have been warned to take extra care when opening emails from unfamiliar sources following a report claiming its anti-phishing tools can be easily exploited.

A report from Certitude researchers William Moody and Wolfgang Ettlinger has shown how anti-phishing measures in Microsoft 365 can be easily exploited and bypassed, potentially allowing criminals the chance to target victims with malicious emails.

The team says it reported its findings to Microsoft, but the company has chosen to not address it just yet, meaning Outlook users could be at risk.

Anti-phishing flaws

The Certitude team outlined how the flaw lies with the "First Contact Safety Tip" feature in Outlook, a pop-up alert that appears when a user receives an email from an unfamiliar address, taking the form of a message reading “You don’t often get email from xyz@example.com. Learn why this is important”

The alert is appended to the main body of the email, but Certitude warns this means it could be manipulated using Cascading Style Sheets (CSS) embedded within the body of the message itself.

The team found certain HTML rules are able to hide anchor tags to stop the alert from being displayed when a link is included, but also changing the font color to white, and font size to zero, hiding the alert. 

A third rule also makes any td element within the tbody of a table have a white background and white text, effectively making the content blend into the background and thus appear invisible.

Enforcing all these CSS rules could therefore mean a phishing email is sent without the alert warning the victim.

At the other end of the spectrum, Certitude also discovered adding more HTML code spoofing the official icons used by Microsoft Outlook on encrypted or signed emails can make a phishing message appear even more secure.

The team says it contacted Microsoft concerning its findings, and received the following statement, "We determined your finding is valid but does not meet our bar for immediate servicing considering this is mainly applicable for phishing attacks. However, we have still marked your finding for future review as an opportunity to improve our products."

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.