'Zero Width Space' appended to Microsoft 365 Defender Alert

%3CLINGO-SUB%20id%3D%22lingo-sub-2731146%22%20slang%3D%22en-US%22%3E'Zero%20Width%20Space'%20appended%20to%20Microsoft%20365%20Defender%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2731146%22%20slang%3D%22en-US%22%3E%3CP%3ETLDR%3A%26nbsp%3BThe%20M365%20Defender%20alert%20%22Email%20messages%20containing%20malicious%20URL%20removed%20after%20delivery%22%20has%20a%20hidden%20non-printable%20character%20at%20the%20end%20of%20the%20alert%2C%20the%20Zero-Width%20Space%20(ZWSP)%20character.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20working%20to%20implement%20the%20SocRA%20Watchlist%20by%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F512377%22%20target%3D%22_blank%22%3E%40Rin_Ure%3C%2FA%3E%26nbsp%3Bin%20Sentinel%20and%20was%20eager%20to%20extend%20the%20included%20list%20with%20a%20few%20simple%20remediation%20steps.%20Luckily%20for%20this%20post%20the%20very%20first%20alert%20I%20chose%20to%20extend%20has%20a%20hidden%20non-printable%20character%2C%20the%20Zero-Width%20Space%20(ZWSP)%20character.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20significant%20head%20scratching%20on%20why%20my%20watchlist%20was%20not%20triggered%20for%20the%20alert%20I%20found%20that%3A%20%22Email%20messages%20containing%20malicious%20URL%20removed%20after%20delivery%20%22%26nbsp%3B%3CSPAN%3Ehas%20the%20non-printable%20character%20after%20the%20'y'%20in%20delivery.%20I%20have%20copied%20the%20alert%20title%20in%20both%20Chrome%20and%20Edge%20as%20well%20as%202%20Azure%20tenants%20and%20the%20ZWSP%20character%20is%20consistent.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EYou%20can%20test%20this%20yourself%20by%20searching%20for%20the%20alert%20and%20copying%20the%20full%20title%20and%20running%20the%20below%20code%20which%20converts%20the%20string%20to%20its%20decimal%20unicode%20equivalent%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%24string%20%3D%20%22Email%20messages%20containing%20malicious%20URL%20removed%20after%20delivery%E2%80%8B%22%0A%24string%20-split%20''%20%7C%20%25%7B%5Bint%5D%5Bchar%5D%24_%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20should%20see%20the%20final%20output%26nbsp%3B%20as%20below%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E101%0A114%0A121%0A8203%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20'8203'%20being%20the%20ZWSP%20character%20where%20'121'%20is%20'y'.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20would%20be%20great%20to%20have%20this%20confirmed%20by%20other%20users%20and%20remediated%20by%20the%20relevant%20MS%20team.%20While%20knowing%20about%20it%20one%20can%20simply%20include%20the%20ZWSP%20in%20relevant%20watchlists%20or%20automation%20it's%20going%20to%20bite%20at%20some%20point.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2731146%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDefender%20for%20Office%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWatchlists%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

TLDR: The M365 Defender alert "Email messages containing malicious URL removed after delivery" has a hidden non-printable character at the end of the alert, the Zero-Width Space (ZWSP) character.

 

I was working to implement the SocRA Watchlist by @RinUre in Sentinel and was eager to extend the included list with a few simple remediation steps. Luckily for this post the very first alert I chose to extend has a hidden non-printable character, the Zero-Width Space (ZWSP) character.

 

After significant head scratching on why my watchlist was not triggered for the alert I found that: "Email messages containing malicious URL removed after delivery​" has the non-printable character after the 'y' in delivery. I have copied the alert title in both Chrome and Edge as well as 2 Azure tenants and the ZWSP character is consistent.

 

You can test this yourself by searching for the alert and copying the full title and running the below code which converts the string to its decimal unicode equivalent:

 

$string = "Email messages containing malicious URL removed after delivery​"
$string -split '' | %{[int][char]$_}

 

You should see the final output  as below:

 

101
114
121
8203

 

The '8203' being the ZWSP character where '121' is 'y'. 

 

It would be great to have this confirmed by other users and remediated by the relevant MS team. While knowing about it one can simply include the ZWSP in relevant watchlists or automation it's going to bite at some point.

 

Thanks.

0 Replies