New obfuscation method for spam and phising mails

The security company Proofpoint reports a new method used to disguise spam and phising emails. This method was first observed in May 2018. There have not yet been any reports of this method being used in Europe, but this should only be a matter of time.

The method uses text that appears to make no sense and consists of a jumble of letters. As a simple example:

Kplz pza lpu Ilpzwplsalea, dpl ly pu lpuly Wopzpunthps clydlukla dlyklu röuual.

In order to avoid a jumble of letters being displayed in the email client, the attackers use a CSS rule that then uses WOFF fonts embedded in the email. This has the great advantage for the attacker that no JavaScript has to be used. Due to the frequent use of JavaScript in emails with malware, this is now quickly attracting the attention of security software. In addition, JavaScript is quite often deactivated in the email client in companies.

If you extract this font and look at it, you get a seemingly random arrangement of letters instead of the alphabet. However, if you combine these two elements, a human-readable text appears in the email client.
This method is comparable to Caesar encryption, which was used for the above demonstration.

This is to make machine detection of unwanted emails more difficult because certain keywords cannot be detected due to the obfuscation.

Unfortunately, it is not that easy to defend oneself against this obfuscation method. One can force the display of plain text via guidelines in the e-mail client. This would mean that everyone would see the jumble of letters. However, this would also destroy the design of many legitimate e-mails or make the e-mail completely unreadable. Only very few senders take the display in plain text mode into account when writing an e-mail.
Appropriate security software, which was developed to recognise spam and phising e-mails, should of course always be provided with the latest recognition routines. This is usually done automatically.

Software cannot always help or protect. Therefore, employees must also be sensitised in dealing with phising e-mails. Regardless of whether they have been disguised or not.