Tricked: Phishing campaigns with hidden fonts and zero text

27. September, 2020

Phishing attacks via emails are part of everyday digital life: Attackers try to trick recipients by pretending to be false senders, services or even domain names. Promises, warnings or announcements tempt people to click on dangerous links. The click triggers a disastrous chain reaction through which malware can enter the system and begin its harmful task.

Old tricks, new scam: invisible texts

In current phishing campaigns, “hidden text” and “zero font” attacks are (again) increasingly being used.[1] Relevant search terms are supplemented with special fonts or character sets that are only recognisable to the machine, but not to humans – for example, “enter password” vs. “e-n-t-e-r-p-a-s-s-w-o-r-d-“.

Currently popular is Unicode: The international standard offers some regular characters that are not displayed in the email. Hidden between the letters of the irritant words they can dilute the recognition performance of anti-spam software. Font size “0” or font colour like background colour are other well-known tricks. More experienced spammers also use special features of HTML/CSS to transmit “invisible” texts, for example the CSS command “display:none”. Or the meaningless text “563 eciffo” is output as “Office 365” in the email thanks to HTML. If the algorithm does not recognise the brand name, it also does not check whether the message originates from a Microsoft server.

All these methods aim to simulate legitimate content and hide the fraudulent intentions. One wrong click and the attack starts unnoticed.

Coordinated multiple strategies against phishing emails

Well-crafted and targeted phishing attempts are now almost impossible to distinguish from legitimate messages – certainly not with the naked eye. Even simple spam filters sometimes reach their limits. Regular descriptive information on current threats will help your employees keep their eyes open and their curiosity in check. In case of doubt, always check on another channel – for example via telephone – before clicking whether the message is genuine and the attachment or link is safe.

From a technical point of view, it is worth investing in professional software that uses advanced detection methods and checks not only the content elements but also the links in the emails. IKARUS detects and analyses hidden links and redirects. For maximum security, there is an additional security check of the target URLs, in which the websites are scanned for phishing features. Activating the “Advanced URL Defense” option, these checks not only performed when the email is received, but again when the URL is clicked. In this way, even delayed attacks are detected and warded off.

Tip: Check the settings of your IKARUS now!

You will find the free Advanced URL Defense feature in your admin interface under the menu item Inbound. Open the settings on the right in the Inbound header and activate the function in the HTML Filter tab by clicking on Advanced URL Defense.

Worth reading:

Targeted attack instead of mass processing: Are you a potential spear phishing victim?


Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Indicators of Attack
Gefahren durch vertrauenswürdige Services
Threat Intelligence
SQL Injection
SMTP Smuggling
Cyber-Risiken in der Ferienzeit
Dynamische Cybersicherheit
Harmony Mobile by Check Point
EU Machinery Regulation
Sergejs Harlamovs, Malware-Analyst bei IKARUS

Plugin IdaClu accelerates malware analysis

IdaClu: IKARUS malware analyst Sergejs Harlamovs wins Hex-Rays plugin contest


IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500


Support hotline:
+43 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download