Microsoft 365 anti-phishing protection can be bypassed with CSS

Researchers found a way to get around a security measure in Microsoft 365, making it more likely for users to open harmful emails. Outlook has a hidden anti-phishing measure called the ‘First Contact Safety Tip.’ It warns recipients when they receive an email from an unfamiliar address.

Outlook displays an alert when a user receives an email from an unfamiliar address. The alert message says “You don’t often get email from [email protected]. Learn why this is important”. Microsoft refers to this as the First Contact Safety Tip. It is one of the anti-phishing measures provided by Exchange Online Protection (EOP) and Microsoft Defender for organizations using Office 365.

You can change how the First Contact Safety Tip is displayed in an HTML email by using CSS style tags.

To hide the First Contact Safety Tip in an HTML email, we can change the background and font colors to white. This will make the alert effectively invisible to the end user.

<head>
</head>
<head>
<style>
a {
display: none;
}
td div {
color: white;
font-size: 0px;
}
table tbody tr td {
background-color: white !important;
color: white !important;
}
</style>
</head>

…[SNIP]…

By using this HTML code in an e-mail, the alert does not show up in the email body anymore!

Note that the e-mail preview (highlighted in red) still begins with the Safety Tip.

Responsible Disclosure:

After developing a proof of concept, and preparing an advisory, we made Microsoft aware of these issues through the Microsoft Researcher Portal (MSRC). Microsoft chose to not address this behavior for now: (Click here to read the full report)