Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.
Microsoft also revealed the workings of a phishing attack group’s techniques that use a ‘jigsaw puzzle’ technique plus unusual features like Morse code dashes and dots to hide its attacks.
In This Social-engineering campaign wherein the operators kept changing their obfuscation and encryption mechanisms every 37 days on average, including relying on Morse code, in an attempt to cover their tracks and surreptitiously harvest user credentials.
Cybercriminals attempt to change tactics as fast as security and protection technologies do. The group is using invoices in Excel HTML or web documents to distribute forms that capture credentials for later hacking efforts. The technique is notable because it bypasses traditional email filter systems.
Microsoft likened the attachment to a “jigsaw puzzle,” noting that individual parts of the HTML file are designed to appear innocuous and slip past endpoint security software, only to reveal its true colors when these segments are decoded and assembled. The company did not identify the hackers behind the operation.
The main aim of the attack is to acquire usernames and passwords, but it is also collecting profit data such as IP address and location to use for subsequent breach attempts. “This phishing campaign is unique in the lengths attackers take to encode the HTML file to bypass security controls,” Microsoft said.
Opening the attachment launches a browser window that displays a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document. The dialog box shows a message urging the recipients to sign in again due to reasons that their access to the Excel document has purportedly timed out. In the event the user enters the password, the individual is alerted that the typed password is incorrect, while the malware stealthily harvests the information in the background.
The campaign is said to have undergone 10 iterations since its discovery in July 2020, with the adversary periodically switching up its encoding methods to mask the malicious nature of the HTML attachment and the different attack segments contained within the file.
This attack comes under the category of business email compromise a highly profitable scam that outsizes the ransomware cybercrime industry.