Microsoft 365 anti-phishing measures can be bypassed, finds study  

The Microsoft anti-phishing feature alerts Outlook users when they receive emails from new contacts  

Published - August 08, 2024 03:33 pm IST

Microsoft’s anti-phishing measures in its 365 suits (formerly Office 365) can be bypassed.

Microsoft’s anti-phishing measures in its 365 suits (formerly Office 365) can be bypassed. | Photo Credit: AP

Microsoft’s anti-phishing measures in its 365 suits (formerly Office 365) can be bypassed by embedding Cascading Style Sheets (CSS) in an email message.

Researchers demonstrated that the anti-phishing measure can be hoodwinked by manipulating the CSS within the HTML of the email.

The anti-phishing measure warns email recipients on Outlook when they receive a message from an unfamiliar address.

Researchers who discovered the flaw shared their findings with Microsoft, but the tech giant decided not to address it.

When CSS is embedded in an email, the message warning users may not appear at all. Additionally, the embed can also be used to manipulate emails into appearing as if they are encrypted or signed, making them appear even more secure.

While the method is not reported to have been actively exploited, it could lead to users being tricked into opening and interacting with phishing mails on Outlook.

Microsoft, on its part, has stated that the issue does “not meet the bar for immediate servicing under our severity classification guidelines”, and that it is not a vulnerability as it relies on social engineering to be successful, a report from Bleeping Computer said.

The tech giant further added that it encourages users to practice good computing habits online and exercise caution when clicking on links to web pages.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.