Attackers turn to Morse code’s dots and dashes in invoicing phishing campaign
- Microsoft reveals the inner-workings of a phishing attack group’s unique techniques
- They are using a ‘jigsaw puzzle’ technique and Morse code dashes and dots to hide their attacks
- Different segments of a HTML file come together to reveal their malicious intent, only after seeming innocuous in their segmented initial presentation
Microsoft has revealed the inner-workings of a phishing attack group’s techniques that uses a ‘jigsaw puzzle’ technique plus unusual features like Morse code dashes and dots to hide its attacks.
The group is using invoices in Excel HTML or web documents to distribute forms that capture credentials for later hacking efforts.
The technique is notable because it bypasses traditional email filter systems.
Microsoft Security Intelligence said in this regard:
In effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions.
Only when these segments are put together and properly decoded does the malicious intent show
Microsoft Security Intelligence
The attack is a type of business email compromise, about which we’ve previously written here. It is a highly profitable scam that outsizes the ransomware cyber crime industry.
The XLS.HTML phishing campaign uses social engineering to craft emails mimicking regular financial-related business transactions, specifically sending what seems to be vendor payment advice. In some of the emails, attackers use accented characters in the subject line.
Excel and the finance-related subject is the hook that’s meant to encourage victims to hand over credentials.
Using xls in the attachment file name is meant to prompt users to expect an Excel file. When the attachment is opened, it launches a browser window and displays a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document.
The dialog box may display information about its targets, such as their email address and, in some instances, their company logo.
Morse code is an old and unusual method of encoding that uses dashes and dots to represent characters. This mechanism was observed in the February (“Organization report/invoice”) and May 2021 (“Payroll”) waves, Microsoft noted.
Meanwhile, in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code.