back to article Small CSS tweaks can help nasty emails slip through Outlook's anti-phishing net

Researchers say cybercriminals can have fun bypassing one of Microsoft's anti-phishing measures in Outlook with some simple CSS tweaks. William Moody, IT security consultant at Certitude, blogged today about how First Contact Safety Tip – a banner displayed in Outlook when a user receives a message from an address that …

  1. speleothem
    Flame

    Email is for text

    Can anybody tell me, is there ANY legitimate use case for anything other than plain text in the subject line or body of an email message?

    Allowing anything that isn't human-readable, anything that's unannounced executable code, is an open invitation to abuse.

    Attachments are an obvious exception, but we ought to be quarantining and sandboxing those by default anyway. Unfortunately, mainstream email clients open attachments by default without asking the user first.

    I hear China is launching a new satellite constellation. If they're going to be the next global military superpower, they ought to use that power for good by nuking HTML email from space ;-) While they're at it, they should nuke emojis from space as well!

    1. sitta_europea Silver badge

      Re: Email is for text

      I *only* read emails in plain text. Even the ones sent in HTML (if I can be bothered - usually I can't).

      1. Grogan Silver badge

        Re: Email is for text

        I use a mail program (Sylpheed... pry it from my stiff, dead, fingers) that strips out most of the crap in html messages and gives you plain text, or a html alternative with hyperlink text and stuff. If you really need the original message, it's still there in the encoding, it can be saved as a file (or view message source). Between all that, there has never been a message I couldn't deal with (I've been using this since 2001)

        I don't like html emails.

    2. Rich 2 Silver badge

      Re: Email is for text

      Errrrr…. Nope. I’m afraid I can’t tell you

    3. claimed Silver badge

      Re: Email is for text

      Tables are useful, general formatting. Images are very useful, and I don’t mind them displaying but I want them in the message so they can be scanned and don’t call out to let people know I’ve opened the email.

      I get that there are downsides, but all this attitude does is cause people to look to third party tools to send the messages they want, which then means more attack surface.

      I want to use emojis, I want to use tables, I want to use images. If email can’t do it, I don’t want email.

  2. Pascal Monett Silver badge

    So, anti-phishing measures are a simple HTML thing

    I realize that this is way easier than coding an analysis into the Outlook client that measures what already exists and pops up a non-hackable alert when a new email address is discovered.

    Now tell me why Redmond decided not to do that.

    I mean, I'm an average developer and I'm pretty sure I could do that, so ?

    1. wolfetone Silver badge

      Re: So, anti-phishing measures are a simple HTML thing

      To be fair a lot of these "anti-" whatever are always in response to something, never in anticipation of it. Often, really, if we go and say "We need to do X for the possibility of Y", we're asked if "Y" is an actual threat or used in the wild. We will go "no, but it could be", the answer will generally be "We'll do Y when it happens". Because then, when it gets exploited, the gaffer can always release a press statement saying "We were the victim of a sophisticated attack..."

      1. Anna Nymous

        Re: So, anti-phishing measures are a simple HTML thing

        > the gaffer can always release a press statement saying "We were the victim of a sophisticated attack..."

        With an additional rider of "... which no-one could have foreseen"

    2. Anonymous Coward
      Anonymous Coward

      Re: So, anti-phishing measures are a simple HTML thing

      to be fair outlook is just a browser container, it stopped being a proper app quite a while ago.

      The menu and everything are html junk, thats why different parts of it goes blank until you close and restart it sometimes.

      The html render engine is just really bad

  3. b0llchit Silver badge
    Facepalm

    Priorities, yes...

    ...does not meet our bar for immediate servicing considering this is mainly applicable for phishing attacks...

    Between the letters was embedded another message reading: You must present us with a ClownStrike scale event with proof of loss of business tabulated and sent in triplicate(*) to get to the top of the list.

    Do they ever learn(**)?

    (*) it helps if it has been sent in, sent back, queried, lost, found, sent to public enquiry, lost again, and finally buried in soft peat for three months and recycled as firelighters(***)

    (**) obviously a rhetorical question

    (***) lets just feed all MS software to the Ravenous Bugblatter Beast of Traal and call it a day

  4. sitta_europea Silver badge

    At least half of the HTML email spam I see uses tricks similar to this to try to defeat my anti-spam measures.

    It all fails.

    Why do I see the spam, you ask? So that I can confirm that it's reported correctly.

  5. captain veg Silver badge

    oddly enough

    I use a similar CSS trick to hide the embarrassingly braindead pseudo-legalese corporate disclaimer that my employer insists on appending to all outbound messages.

    -A.

  6. ecofeco Silver badge
    Facepalm

    Hahahahahahahahahaha

    Bwhahahahahahahahahahahahahah

    *gasp*

    FFS. Effing morons.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like