August 7, 2024 at 11:35AM
Researchers discovered a method to hide the ‘First Contact Safety Tip’ in Microsoft 365, potentially increasing the risk of users opening malicious emails. Despite reporting the flaw to Microsoft, the tech giant decided not to address it at this time. The technique involves manipulating HTML and CSS to hide the warning and spoof security icons.
The meeting notes detail the demonstration of a method to bypass the anti-phishing measure in Microsoft 365, specifically the ‘First Contact Safety Tip’ in Outlook, which alerts users to emails from unfamiliar addresses. This measure can be hidden using CSS manipulation within the HTML of the email, effectively removing the warning. Additionally, researchers found a way to spoof the icons for encrypted/signed emails, creating a false impression of security. They reported their findings to Microsoft, but the tech giant decided not to address the issue immediately, citing that it primarily applies to phishing attacks. However, they acknowledged the finding and marked it for future review to improve their products.