Researchers Find CSS Can Bypass Microsoft 365 Phishing Protection

Security experts from Certitude have demonstrated a method to bypass the anti-phishing protection in Microsoft 365 (formerly Office 365). As of now, these vulnerabilities remain unpatched.

How the Bypass Works

The researchers explained that it is possible to hide the First Contact Safety Tip warning. As the name suggests, the First Contact Safety Tip is designed to alert Outlook users when they receive emails from new contacts. The warning typically displays a message like: “You don’t often get email from [email protected]. Learn why this is important.”

The key point is that this warning is added directly to the main body of the email in HTML format, which opens the door for manipulation using CSS embedded in the message.

Hiding the Warning with CSS

According to Certitude, the warning can be easily hidden by changing the text and background color to white and setting the font size to zero, effectively making the warning invisible to the user.

Imitating Security Icons

Taking this idea further, the researchers found they could add extra HTML code to emails to mimic the icons that Microsoft Outlook uses for encrypted and signed messages, making the emails appear more secure. While some formatting limitations prevent a perfect visual match, this trick can still help bypass less thorough checks.

No Known Exploitation Yet

The researchers noted that they are not aware of any real-world exploitation of these bugs and did not find a way to manipulate the HTML to display arbitrary text in the email.

Microsoft’s Response

Certitude reported their findings to Microsoft, providing a proof-of-concept and a detailed report through the Microsoft Researcher Portal (MSRC). Microsoft responded:

“We have determined that your information is valid but does not meet our criteria for immediate action, as the issue is primarily applicable to phishing attacks. However, we have noted this information for further review to improve our products.”