Check that email carefully — experts warn anti-phishing tools in Microsoft 365 can be easily bypassed

Microsoft Outlook users have been warned to take extra care when opening emails from unfamiliar sources following a report claiming its anti-phishing tools can be easily exploited.

A report from Certitude researchers William Moody and Wolfgang Ettlinger has shown how anti-phishing measures in Microsoft 365 can be easily exploited and bypassed, potentially allowing criminals the chance to target victims with malicious emails.

The team says it reported its findings to Microsoft, but the company has chosen to not address it just yet, meaning Outlook users could be at risk.

Anti-phishing flaws

The Certitude team outlined how the flaw lies with the "First Contact Safety Tip" feature in Outlook, a pop-up alert that appears when a user receives an email from an unfamiliar address, taking the form of a message reading “You don’t often get email from xyz@example.com. Learn why this is important”

The alert is appended to the main body of the email, but Certitude warns this means it could be manipulated using Cascading Style Sheets (CSS) embedded within the body of the message itself.

The team found certain HTML rules are able to hide anchor tags to stop the alert from being displayed when a link is included, but also changing the font color to white, and font size to zero, hiding the alert.

A third rule also makes any td element within the tbody of a table have a white background and white text, effectively making the content blend into the background and thus appear invisible.

Enforcing all these CSS rules could therefore mean a phishing email is sent without the alert warning the victim.

At the other end of the spectrum, Certitude also discovered adding more HTML code spoofing the official icons used by Microsoft Outlook on encrypted or signed emails can make a phishing message appear even more secure.

The team says it contacted Microsoft concerning its findings, and received the following statement, "We determined your finding is valid but does not meet our bar for immediate servicing considering this is mainly applicable for phishing attacks. However, we have still marked your finding for future review as an opportunity to improve our products."

More from TechRadar Pro

• Python Q&A site StackExchange hijacked to spread malware disguised as answers
• Enhance your security with the best endpoint protection tools
• Proofpoint email filter flaw exploited to send out millions of phishing messages