Z-WASP attack: Phishers are using a recently fixed flaw in
Office 365 that allows them to bypass protections using zero-width spaces and
deliver malicious messages to recipients.
Microsoft recently fixed a vulnerability in Office 365 that
was exploited by attackers to bypass existing phishing protections and deliver
malicious messages to victims’ inboxes.
The vulnerability ties with the use of zero-width spaces
(ZWSPs) in malicious URLs within the RAW HTML of the emails. This trick allows
splitting the URLs making impossible for defence systems to detect malicious
Experts pointed out that both URL reputation check and Safe
Links protections are bypassed using this technique.
The bad news is that the recipient would not be able to
detect the spaces because they are not rendered.
Experts from cloud-security firm Avanan first observed a
campaign busing this issue on November 10. Microsoft addressed the issue on
“The name Z-WASP references the zero-width space () that
hackers added to the middle of a malicious URL within the RAW HTML of the
email. With all these special characters breaking up the URL, Microsoft email
processing didn’t not recognize the URL for what it was, so domain reputation
checks and Safe Links didn’t apply” reported Avanan.
“Z-WASP emails flooded inboxes around November 10, when we
detected the problem. And since these zero-width spaces don’t render, the
recipient couldn’t see the random special characters in the URL.”
Experts discovered the flaw when noticed a large number of
phishers using zero-width spaces (ZWSPs) to obfuscate links in malicious emails
to Office 365.
“The vulnerability was discovered when we noticed a large
number of hackers using zero-width spaces (ZWSPs) to obfuscate links in
phishing emails to Office 365, hiding the phishing URL from Office 365 Security
and Office 365 ATP.” continues the analysis published by Avanan.
ZWSPs are characters that render to spaces of zero-width,
they could be rendered as “empty space” characters. They are 5 ZWSP entities, namely
(Zero-Width Space), (Zero-Width Non-Joiner), (Zero-Width Joiner),
(Zero-Width No-Break Space), and ０(Full-Width
Experts explained that in raw HTML form, ZWSPs appear like
a mishmash of numbers and special characters randomly inserted between the
letters a word or a URL. Once rendered in the web browser, hey appear as
ZWSPs are part of ordinary formatting the Internet, they
are used for fingerprinting articles and documents, formatting foreign
languages, and breaking long words at the end of a line and continuing them on
the next line.
In the campaigns observed by the experts, phishers added
the Zero-Width Non-Joiner () in the middle of a malicious URL within the RAW
HTML of an email, the email processing system failed to recognize the URL as
legitimate and the protections were bypassed.
The messages used in the campaign included links pointing
to phishing pages used to harvest credentials of Chase Bank customers.
The attack recently observed Z-WASP attack is an evolution
of other techniques observed by Avanan like the baseStriker technique and the