Other ways to search: Events Calendar | UTHSC

SPAR – Cybersecurity Scam of the Week – Phishing Emails Use Small Font Size to Bypass Security Filters


Did you know that, on average, 87% of phishing emails delivered to UTHSC are blocked by security filters? That’s a LOT of phishes! But that still means that 13% get to our inboxes.

This is why reporting suspected emails to abuse@uthsc.edu is so very important. If a phish lands in your inbox and you report it, we can block it from being delivered to others, as well as see who it was already delivered to and if they fell for it.

Researchers at Avanan have spotted phishing emails that use a font size of one to fool email security scanners. Yes, font size of one – so tiny no one will notice, especially if it is formated with white coloring on a white background. The emails appear to be password expiration notifications from Microsoft 365. The attackers have inserted benign links that are invisible to the human eye, but trick security scanners into viewing the email as a legitimate marketing email.

UTHSC has a specific procedure in place to notify users if your password is expiring. It does NOT come from Microsoft but from UTHSC directly. We have seen these on campus using email addresses looking like they are coming from “Uthsc IT”, but the email addresses are external ([Ext]) usually coming from other countries. Know your SPAR training and be prepared to respond to these emails by forwarding them to Abuse.

What else has been reported to abuse@uthsc.edu this past week?

  • [Ext] PFL Penalty Appeal & Payroll Taxes – from an external address, but spoofed to look like it was coming from “Accounting@uthsc.edu”, wanting the recipient to click on an attachment.
  • [Ext] Uthsc Benefit Report update – very similar, spoofed to look like it was coming from “HR@Uthsc” (no .edu), but from an external email address.
  • [Ext] 607 2808 **** incomming V-Message Attached – we can guarantee two things; we know how to spell incoming, and the UTHSC voicemail system is not operated by “sasamoto@autocar-japan.com”.
  • [Ext] INVOICE ID PBW16112021EV – soon to be known as the “classic” Norton scam, advising the recipient that the service is auto-renewed and to contact a given phone number to dispute.
  • [Ext] Payment successfull, Invoice NOR1637083215TO – the same person got almost the exact same email phish just with a different Subject line.
  • [Ext] ACH Capital 3- Payment_11/19/2021 – from a Candian email address, definitely not the payment confirmation attachment you want to open.
  • [Ext] New (27 seconds) message from (847) 4210-**** – another voicemail phish, this on spoofed so it looks like “Uthsc | Telecom”, but the email address is from Japan.

Keep reporting suspicious emails to abuse@uthsc.edu for examination and any other inquiries for the Office of Cybersecurity should be directed to itsecurity@uthsc.edu.