Microsoft disclosed details of a sophisticated year-long campaign, in which the operators changed their obfuscation and encryption mechanisms every 37 days on average. The defense network not only relied on Morse Code to conceal its tracks but also to surreptitiously harvest user credentials.
Phishing attacks have become more sophisticated than ever. The trickiest and most dangerous phishings are those that take the form of invoice-themed lures, trying to mimic financial business transactions with emails containing an HTML file (XLS). These malicious files work by harvesting usernames and passwords which can be used as a gateway for later infiltration attempts or frauds.
Microsoft likened the attachment to a “jigsaw puzzle,” noting that individual parts of the HTML file are designed to appear innocuous and slip past endpoint security software, only to reveal its true colors when these segments are decoded. The company did not identify what hackers were behind this operation but they noted that it was something we should be aware of moving forward.
These attackers are relentless in their use of evasive methods to steal your passwords. They have become more sophisticated and developed a variety of encoding techniques, including old-fashioned Morse code encryption that is difficult for virus scanners to detect as well as the latest JavaScript files used to get around security systems.
This phishing campaign exemplifies the modern email threat: sophisticated, evasive, and relentlessly evolving,” Microsoft 365 Defender Threat Intelligence Team said in an analysis this week.” The HTML attachment was divided into several segments with each segment hiding under different types of encoding techiques–from plaintext html coding all the way up through encoded javascripts which were then broken down even further using unusual encryption methods like morse codes before being put back together again just right on.
Opening the attachment launches a fake screen that displays an alert from Microsoft Office 365, claiming your access to Excel has been revoked. The email urges you to sign in again immediately and begrudgingly accepts if you have already entered your password without any issue- because they know what it is anyways! They just want their data as well like everyone else does these days.
The campaign underwent 10 iterations since its discovery in July 2020. The adversary switched up encoding methods and attack segments to mask the malicious nature of the attachment, which is a HTML document that contained different pieces of malware.
Microsoft told reporters that it has detected Morse code in the attacks’ February and May 2021 waves, while later variants of the phishing kit were found to direct victims toward a legitimate Office 365 page instead of showing a fake error message when passwords are entered.
Email-based attacks have been made in the form of phishing where they make novel attempts to bypass security solutions. “In this case, these attempts include using multilayer obfuscation and encryption mechanisms for known existing file types” such as JavaScript which can evade browser security measures with its multi layer encoding capabilities. Microsoft is working hard on new ways to protect their email system from future potential breach like hacks and different kinds of malware that are just waiting around the corner
