Cybercriminals are employing sophisticated strategies to bypass email security filters, creating phishing emails that are undetectable by utilizing HTML entities and zero-width characters.
This new wave of attacks, dubbed “Shy Z-WASP,” combines zero-width joiners and soft hyphen entities to obfuscate malicious content, making it harder for automated systems and users to identify phishing attempts.
Zero-width characters, such as Zero-Width Joiners (), Zero-Width Spaces (), and Zero-Width Non-Joiners (), are Unicode characters that are invisible to the human eye but detectable in the underlying HTML code.
These characters can be embedded within URLs or text to disrupt pattern recognition by email security systems.
Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
Similarly, soft hyphens () are used to break up keywords or phrases that might otherwise trigger phishing filters.
In this attack, threat actors use these techniques to:
- Obfuscate URLs: Zero-width characters are inserted into malicious links, breaking them into unrecognizable patterns for security filters while remaining functional when clicked.
- Disguise Keywords: Suspicious phrases like “password expired” or “account verification” are split using soft hyphens, preventing detection by keyword-based scanning tools.
- Bypass Security Features: These methods circumvent URL reputation checks and Safe Links protections in platforms like Microsoft Office 365.
The Phishing Email Attack
According to a SANS report, a recent phishing email targeting corporate users exemplifies this technique. The email mimics a legitimate password expiration notice, urging recipients to click a link labeled “KEEP MY PASSWORD.”
While the email appears genuine at first glance, its HTML code reveals extensive use of zero-width joiners in the title and soft hyphens throughout the body text.
The authors of the message chose to employ both of the previously stated strategies to divide the message text, as the following (which is slightly cleaned-up) sample demonstrates. The SHY HTML entity () was used everywhere else, while the zero-width joiners () were utilized in the title.
These manipulations allow the email to bypass filters while presenting a seamless appearance to recipients.
This attack highlights vulnerabilities in traditional email filtering systems that rely on pattern recognition or keyword matching. By exploiting invisible characters, attackers can evade detection without compromising the functionality or readability of their messages.
Mitigation Strategies
To combat these sophisticated phishing tactics, organizations should adopt a multi-layered defense strategy:
- Advanced Email Filtering: Implement machine learning-based filters capable of detecting obfuscated text and suspicious patterns in HTML code.
- User Awareness Training: Educate employees on identifying phishing attempts by examining suspicious emails in plain-text mode or moving them to junk folders for better visibility.
- Browser Extensions: Use tools like Chrome extensions that detect and highlight zero-width characters in web content.
- Regular Updates: Keep email security systems updated with the latest threat intelligence to recognize emerging tactics like Shy Z-WASP.
- Multi-Factor Authentication (MFA): Enforce MFA policies to mitigate risks even if credentials are compromised.
The use of zero-width characters and soft hyphens represents an evolution in phishing tactics, blending old techniques with new innovations.
While these attacks can often be identified by careful inspection of email formatting or underlying HTML code, they pose significant challenges for automated defenses.
Organizations must stay vigilant and proactive in adopting advanced security measures to counteract these threats effectively.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
