Close this search box.

Morse code returns: Bizarre phishing attack uses morse to hide approach


Attackers turn to Morse code’s dots and dashes in invoicing phishing campaign

Key takeaways

  • Microsoft reveals the inner-workings of a phishing attack group’s unique techniques
  • They are using a ‘jigsaw puzzle’ technique and Morse code dashes and dots to hide their attacks
  • The attacks feature heavy use of JavaScript to steal passwords
  • Different segments of a HTML file come together to reveal their malicious intent, only after seeming innocuous in their segmented initial presentation

Microsoft has revealed the inner-workings of a phishing attack group’s techniques that uses a ‘jigsaw puzzle’ technique plus unusual features like Morse code dashes and dots to hide its attacks.

The group is using invoices in Excel HTML or web documents to distribute forms that capture credentials for later hacking efforts.

The technique is notable because it bypasses traditional email filter systems.

Microsoft Security Intelligence said in this regard:

The HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. These attackers move from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code to hide these attack segments.

In effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions.

Only when these segments are put together and properly decoded does the malicious intent show

Microsoft Security Intelligence

The attack is a type of business email compromise, about which we’ve previously written here. It is a highly profitable scam that outsizes the ransomware cyber crime industry. 

The XLS.HTML phishing campaign uses social engineering to craft emails mimicking regular financial-related business transactions, specifically sending what seems to be vendor payment advice. In some of the emails, attackers use accented characters in the subject line.

Excel and the finance-related subject is the hook that’s meant to encourage victims to hand over credentials. 

Using xls in the attachment file name is meant to prompt users to expect an Excel file. When the attachment is opened, it launches a browser window and displays a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document.

The Morse Code element of the attack is used in conjunction with JavaScript, the most popular programming language for web development. 

The dialog box may display information about its targets, such as their email address and, in some instances, their company logo.

The Morse Code element of the attack is used in conjunction with JavaScript, the most popular programming language for web development. 

Morse code is an old and unusual method of encoding that uses dashes and dots to represent characters. This mechanism was observed in the February (“Organization report/invoice”) and May 2021 (“Payroll”) waves, Microsoft noted.

In the February iteration of the scam, links to the JavaScript files were encoded using ASCII then in Morse code.

Meanwhile, in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235


Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →



Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution



A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →