Microsoft Safe Links

Safe Links is one of Microsoft Office 365’s Advanced Threat Protection features to protect users from malicious URLs. It works by re-writing URLs received in emails so that, when clicked, you will first be taken to a Microsoft domain where the URL is verified for authenticity, reputation and malicious content. If the link passes the Safe Link tests, then the user will be redirected to the original URL. However, if the URL fails the test, the user will be notified and will not be automatically redirected.

Researchers at Avanan recently revealed how Safe Links has been bypassed by attackers using what is known as ZWSPs (Zero-Width Spaces) to increase the effectiveness of phishing emails. ZWSP is a special Unicode character that is not displayed to the user and are usually used for formatting sections of text. Whilst you may not see a Zero-Width Space, most applications see them as a regular space and therefore treat them as such, which is where the issue lies.

For example, an attacker could use “​” (the Unicode for a ZWSP) to obfuscate a URL as follows “www.​test.​maliciouswebsite.​com”. Safe Links does not recognise this as a URL, but as a user you would see “www.test.maliciouswebsite.com”, and when clicked you would be taken directly to the malicious site.

Avanan have been working with the Microsoft security team on resolving the vulnerability. The issue is now resolved – however, this is not to say that similar issues will not arise in the future. To protect yourself, when hovering over a hyperlink in outlook with Safe Links enabled, make sure that your URL follows this format “https://emea01.safelinks.protection.outlook.com/?url=targeturl”. If you are unsure about a link, our advice is to ignore it and navigate to the page manually so you have control of what you are visiting.