Phishing attacks are ever-evolving and becoming more sophisticated. The latest, which targeted usernames and passwords, chose to go old school and use morse code to steer clear of email filter systems and other security measures.
Microsoft recently revealed the phishing attack, which it said used a “jigsaw puzzle” technique in addition to measures like Morse code and other encryption methods to obscure its attacks and avoid detection. The attacker group used invoices in Excel HTML or web documents as a means to distribute forms that snagged credentials for future breach attempts.
“In effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HTML file may appear harmless at the code level and may thus slip past conventional security solutions. Only when these segments are put together and properly decoded does the malicious intent show,” the blog post added.
Microsoft has spent over a year investigating this XLS.HTML phishing campaign. The attackers changed their obfuscation and encryption mechanisms roughly every 37 days, proving their skill and high motivation to keep the operation up and running while remaining undetected.
While the primary aim of the phishing attack was to collect user login credentials, it also readily collected profit data—like user locations and IP addresses—which it likely planned to use in future attacks. Microsoft claimed that “This phishing campaign is unique in the lengths attackers take to encode the HTML file to bypass security controls.”
“The XLS.HTML phishing campaign uses social engineering to craft emails mimicking regular financial-related business transactions, specifically sending what seems to be vendor payment advice.” The campaign falls under the “business email compromise” category of attacks, a more lucrative scam than ransomware.
By using less-flashy methods, like Excel spreadsheet attachments, and then redirecting users to a fake Microsoft Office 365 credentials login page featuring their company’s logo (for example), many users are less likely to raise a red flag on the attack and enter their credentials.
Feel free to check out Microsoft’s blog post for a more in-depth look at the attack, including the timeline of how the encoding techniques changed from month to month.