Microsoft’s anti-phishing measures in its 365 suits (formerly Office 365) can be bypassed by embedding Cascading Style Sheets (CSS) in an email message.
Researchers demonstrated that the anti-phishing measure can be hoodwinked by manipulating the CSS within the HTML of the email.
The anti-phishing measure warns email recipients on Outlook when they receive a message from an unfamiliar address.
Researchers who discovered the flaw shared their findings with Microsoft, but the tech giant decided not to address it.
When CSS is embedded in an email, the message warning users may not appear at all. Additionally, the embed can also be used to manipulate emails into appearing as if they are encrypted or signed, making them appear even more secure.
While the method is not reported to have been actively exploited, it could lead to users being tricked into opening and interacting with phishing mails on Outlook.
Microsoft, on its part, has stated that the issue does “not meet the bar for immediate servicing under our severity classification guidelines”, and that it is not a vulnerability as it relies on social engineering to be successful, a report from Bleeping Computer said.
The tech giant further added that it encourages users to practice good computing habits online and exercise caution when clicking on links to web pages.
Published - August 08, 2024 03:33 pm IST