Microsoft disclosed details of a sophisticated year-long campaign, in which the operators changed their obfuscation and encryption mechanisms every 37 days on average. The defense network not only relied on Morse Code to conceal its tracks but also to surreptitiously harvest user credentials.
Phishing attacks have become more sophisticated than ever. The trickiest and most dangerous phishings are those that take the form of invoice-themed lures, trying to mimic financial business transactions with emails containing an HTML file (XLS). These malicious files work by harvesting usernames and passwords which can be used as a gateway for later infiltration attempts or frauds.
Microsoft likened the attachment to a “jigsaw puzzle,” noting that individual parts of the HTML file are designed to appear innocuous and slip past endpoint security software, only to reveal its true colors when these segments are decoded. The company did not identify what hackers were behind this operation but they noted that it was something we should be aware of moving forward.
Opening the attachment launches a fake screen that displays an alert from Microsoft Office 365, claiming your access to Excel has been revoked. The email urges you to sign in again immediately and begrudgingly accepts if you have already entered your password without any issue- because they know what it is anyways! They just want their data as well like everyone else does these days.
The campaign underwent 10 iterations since its discovery in July 2020. The adversary switched up encoding methods and attack segments to mask the malicious nature of the attachment, which is a HTML document that contained different pieces of malware.
Microsoft told reporters that it has detected Morse code in the attacks’ February and May 2021 waves, while later variants of the phishing kit were found to direct victims toward a legitimate Office 365 page instead of showing a fake error message when passwords are entered.