Don’t fall for it: new scam tries to convince your Microsoft password is about to expire

Threat actors fool humans and systems alike. Recently, Microsoft users have been bombarded with password expiration notifications carefully crafted by cybercriminals to harvest credentials.

When an email from Microsoft pops up in your inbox notifying you about an expired password, don’t rush to click on it. A new report suggests that threat actors crafted a highly sophisticated technology designed to fool not only you but Microsoft’s Natural Language Processing, as well.

Here’s what the malicious email looks like. Hackers present it as a password expiration notification from Microsoft. This email utilizes traditional social engineering tactics, such as urgent language, to get the user to act.

Scammers' email

"To the end-user, this email looks like a standard request from their IT department. The email is designed to fool both Natural Language Processing and human eyes. For a user to spot this attack, they should rely on their phishing training. They should notice the stilted grammar, such as "Notification Microsoft 365" as a red flag. They should also ask their IT department before resetting any passwords," Jeremy Fuchs, Cybersecurity Researcher at Avanan, A Check Point Company, told CyberNews via email.

Starting in September 2021, Avanan observed a new obfuscation attack in which the attackers use a font size of one to cloak text, as well as hide links within the CSS (Cascading Style Sheets).

In this attack, hackers utilize a number of obfuscation techniques to get a credential harvesting page through to the inbox.

First, all links are hidden within the CSS. This confuses natural language filters. Natural language filters see random text; human readers see what the attackers want them to see.

First, they hide links within the CSS, like so:


When doing so, natural language filters see gibberish; end-users see a fully rendered email.

In addition, hackers put links within the tag and brought the font size down to one. This breaks semantic analysis, which leads to many solutions treating it as a marketing email, as opposed to phishing.


This obfuscation tactic is only one of many designed to fool Microsoft’s Natural Language Processing. In 2018, Avanan researchers discovered the ZeroFont phishing technique, whereby hackers insert hidden words, all with a font size of zero, that are invisible to the recipient but fool Microsoft’s Natural Language Processing. Further, over the last number of years, Avanan analysts have noticed and written about a number of new obfuscation tactics.

“They run the gamut. We’ve seen hackers use a meta refresh to redirect the end-user; get past Microsoft SafeLinks with ZeroFont and unescape commands; utilize the redirection BDO tag as well as the display none tag, among others. All of these attacks have the same goal — make the NLP see one thing, and humans see another,” Avanan detailed.

Exploiting well-known brands

Whether it is spoofing or impersonation, cybercriminals are masters of exploiting popular brands to trick people into clicking on malicious links.

Email spoofing is the act of sending emails with a forged sender address. It tricks the recipient into thinking that someone they know or trust sent them the email. Usually, it’s a tool of a phishing attack designed to take over your online accounts, send malware, or steal funds.

Recently, CyberNews wrote how malicious hackers are spoofing Amazon purchase notifications to steal financial information. All links go directly to Amazon’s site. This means that even the most trained user will click on it.

An impersonation is another common form of phishing. Malicious actors can impersonate users, domains, and brands. Whatever the impersonation is, the idea is to convince the victim to give up information or data that they wouldn’t normally feel comfortable releasing.

When it comes to brands, here are the most impersonated ones, according to Check Point:

1. Microsoft (related to 45% of all brand phishing attempts globally)

2. DHL (26%)

3. Amazon (11%)

4. Bestbuy (4%)

5. Google (3%)

6. LinkedIn (3%)

7. Dropbox (1%)

8. Chase (1%)

9. Apple (1%)

10. PayPal (0.5%)

Just be aware, this is not a limited list. Recently, INKY researchers revealed that scammers now use math symbols in the Verizon logo to trick their victims. Despite all the money major brands spend on logo design, people are terrible at remembering them, so exercise double caution when checking your email next time.

Did you get a similar message? Always double-check all the links before clicking by hovering over them. Watch out for poor grammar and spelling in the email body, be aware of unfamiliar senders, and never act on a document or file unless you are sure it can be trusted.

More from CyberNews:

Diamond Comics Distributors hit by ransomware attack

Smart clothing: should you be worried about your privacy?

Post-Covid office: half empty and based in the cloud

The AI that can write effective phishing emails

Robinhood hack: data of seven million investors stolen by threat actors

Subscribe to our newsletter