Security researchers have identified a significant vulnerability in Microsoft 365, previously known as Office 365, which could potentially undermine the platform’s anti-phishing defenses and increase the likelihood of users engaging with malicious emails.
William Moody and Wolfgang Ettlinger from Certitude have demonstrated that the anti-phishing feature known as the ‘First Contact Safety Tip’ can be manipulated. This feature, designed to warn users when receiving emails from unfamiliar addresses, typically displays a message such as, “You don’t often get email from [email protected].”
The researchers discovered that this safety tip message, which is usually added to the body of an HTML email, can be altered or completely hidden through the use of CSS (Cascading Style Sheets) embedded within the email. Their proof-of-concept shows that despite the safety tip being present in the email preview, it can be concealed from the recipient.
In response to the discovery, Microsoft acknowledged the validity of the findings but indicated that the issue does not warrant immediate attention or patching. The company stated that the vulnerability, which primarily affects phishing threats, will be reviewed in the future.
Additionally, the analysts noted that Outlook icons within encrypted or signed emails can also be modified using this method. The First Contact Safety Tip is part of a broader set of anti-phishing tools available through Exchange Online Protection and Microsoft Defender for organizations using Microsoft 365.
Related topics:
Why Hasn’t Sora Been Released Yet?