Microsoft has revealed a “unique” phishing campaign using novel techniques to stay hidden from conventional email security filters.
The primary motivation of those behind the emails is to steal usernames and passwords, IP addresses and location data that can be used as entry points for later attacks.
Classic social engineering techniques are employed to trick users into opening a .xls HTML file. Opening the attachment takes the victim to a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document.
However, the real interest lies in how the attackers have tried to obfuscate and evade detection — by dividing the HTML attachment into several segments before encoding them via various mechanisms.
“Some of these code segments are not even present in the attachment itself. Instead, they reside in various open directories and are called by encoded scripts,” said Microsoft.
“In effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions. Only when these segments are put together and properly decoded does the malicious intent show.”
Since Microsoft began tracking the campaign in July 2020, it has observed multiple iterations featuring various encoding mechanisms and techniques, including the hosting of segments on third-party sites and the use of Morse code.
“Morse code is an old and unusual method of encoding that uses dashes and dots to represent characters. This mechanism was observed in the February (‘Organization report/invoice’) and May 2021 (‘Payroll’) waves,” the tech giant explained.
“In the February iteration, links to the JavaScript files were encoded using ASCII then in Morse code. Meanwhile in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code.”
Constantly changing, multi-layer obfuscation techniques like these require dynamic threat protection, Microsoft argued.