In the latest string of evolving sophisticated phishing attacks, Microsoft has revealed hackers are using a new tactic—Morse code to evade detection.
After a year-long investigation, Microsoft 365 Defender Threat Intelligence Team discovered an unknown cybercriminal group was harvesting user credentials via an invoice-themed XLS.HTML phishing campaign.
The HTML attachment included JavaScript files used to steal passwords, which were then encoded using different mechanisms. The attackers moved from using the plaintext HTML code to employing multiple encoding techniques like Morse code. The operators kept changing their encryption mechanisms every 37 days on average, according to Microsoft.
The attachment is comparable to a jigsaw puzzle; segments of the HTML file may appear harmless at code level and may slip past conventional security solutions. “When the segments are put together and properly decoded does the malicious intent show,” writes Microsoft in a blog post.
Related: Ivanti: IT Is Losing The Phishing Fight
The XLS.HTML phishing campaign sent emails mimicking financial-related business transactions, such as a payment advice. The attachment is an HTML file, but the extension is modified using a variation of Excel like type files; xls.HTML, xslx.HTML, Xls.html, etc.
Unbeknownst victims are prompted to open the excel file. Once it’s opened, a browser window will display a fake Microsoft 365 dialog box to enter credentialed information, such as email address and password.
If the user enters their credentials, they’ll receive a fake note that the password is incorrect. Meanwhile, the phishing scheme is running in the background harvesting the password and other information about the user.
Microsoft recommends IT teams should perform the following to reduce impact of this phishing attack:
- Use mail flow rules or Group Policy for Outlook to strip .html or .htm or other file types that are not required for business.
- Turn on Safe Attachments policies to check attachments to inbound email. Enable Safe Links protection for users with zero-hour auto purge to remove emails when a URL gets weaponized post-delivery.
- Avoid password reuse between accounts and use multi-factor authentication (MFA).
- Educate end users on phishing tactics as part of security or phishing awareness training.
Additionally, you can look for alerts within the Microsoft 365 Security Center for emails delivered with xslx.html/xls.html attachments.
To locate specific attachments related to this campaign, run the following query:
// Searches for email attachments with a specific file name extension xls.html/xslx.html
EmailAttachmentInfo
| where FileType has “html”
| where FileName endswith_cs “._xslx.hTML” or FileName endswith_cs “_xls.HtMl” or FileName endswith_cs “._xls_x.h_T_M_L” or FileName endswith_cs “_xls.htML” or FileName endswith_cs “xls.htM” or FileName endswith_cs “xslx.HTML” or FileName endswith_cs “xls.HTML” or FileName endswith_cs “._xsl_x.hTML”
| join EmailEvents on $left.NetworkMessageId == $right.NetworkMessageId
| where EmailDirection == “Inbound”
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply