Researchers discovered a new type of advance phishing attack that taking advantages of office 365 vulnerability to bypass all the Microsoft security even though users implemented the Advanced Threat Protection (APT)
Phishing attacks one of the most frequently targeting millions of users nowadays and this attack left all the Office 365 users vulnerable since the attack is more sophisticated and persistent.
Z-WASP vulnerability , a type of Security bypass method which is used by most of the cybercriminals around the world to embedded the obfuscate links within the phishing emails.
It helps attackers to evade the phishing URL from Office 365 Security and Office 365 ATP, also it has the ability to bypass an Office 365’s URL reputation check and Safe Links URL protection.
Even though Z-WASP vulnerability effect is very simple structure, impact of its attack is highly destructive
Zero-Width Spaces (Z-WASP)
Z-WASP is a method of hiding special characters in empty space which means that render to spaces of zero-width.
There are 5 ZWSP entities:
- ​ (Zero-Width Space)
- ‌ (Zero-Width Non-Joiner)
- ‍ (Zero-Width Joiner)
- ﻿ (Zero-Width No-Break Space)
- ０ (Full-Width Digit Zero)
Working Method of Z-WASP Phishing Attacks
Further analysis conducted with the Z-WASP implemented Phishing emails reveal that middle of the malicious URL’s contain Zero-Width Non-Joiner (
( ) that considers as a legitimate URL by Office 365 ATP security check.
This Phishing URL delivered to targeted users via email but unfortunately users cannot see the ZWSPs in the URL.
here you can see the how www.google.com viewed URL that containing ZWSPs to Microsoft
Here you can see the complete demo video:
The Z-WASP attack is another chain in a list of exploits that are designed to obfuscate malicious content and confuse Office 365 security. Two similar exploits uncovered last year include the baseStriker and ZeroFont attacks, Avanan said.