Hello and welcome to the Wednesday, September 27, 2020,

3 edition of the Sansonet Stormontas.

Stormcast, my name is Johannes Ulrich,

and I'm recording from Jacksonville, Florida.

Xerofan fishing is a technique that has been around for a few years.

Typically, the way it's used is that NetHacker is inserting text into a fishing email

with a font size of zero.

The usual goal of this text is to just break up the fishing text with that making it more

difficult for systems that are trying to detect fishing

to identify a particular email as a fish. The automatic systems won't really recognize that

the font size is zero, so they consider this text valid, but a human user will not see this text, so they'll just basically see the text

that the attacker wants them to see, and that's then the phishing email.

Jan today wrote up a diary that looks at a new way how zero-size fonts are being used.

In particular, this variety of the attack appears to target

common mail clients that do have essentially sort of a little preview pane where they list

the subject, the sender of emails, and then typically like the first line of an email.

And that, of course, is often used by users to quickly scan

through their email and, well, hopefully like delete some emails like phishing emails

before they even sort of bother to open it. In this case, the attacker inserted a zero font size line as a first line in the email that basically sort of

seemed to indicate that this email was scanned by some advanced threat protection.

So this first line indicating that it was scanned by some kind of security gateway is using a font

size of zero. It's only visible in that preview list so that ignores the font size. It's not

...