Microsoft 365 users are being tricked into exposing their credentials by a vintage phishing technique involving mislabeled files.
According to cybersecurity researchers at Vade, malicious actors are dusting off Right-to-Left Override (RLO) attacks to trick victims into executing files with disguised extensions. When victims open the files, they are prompted to enter their Microsoft 365 login information.
Vade's threat analyst team has identified more than 200 RLO attacks on Microsoft 365 users in the last two weeks. The attack method was
The RLO character [U+202e] is a special non-printing character within the Unicode encoding system. The character was designed to support languages written and read from right to left, such as Arabic and Hebrew.
This special character, which can be found in the character map on Windows and Linux operating systems, can be used to disguise a file's type. For example, the executable file abc[U+202e]txt.exe will appear as abcexe.txt in Windows, leading users to mistake it for a .txt file.
The threat has been around for more than a decade and was referenced in 2008 in the Mozilla Foundation and Unicode technical reports known as CVE-2009-3376.
"While Right-to-Left Override (RLO) attack is an old technique to trick users into executing a file with a disguised extension, this spoofing method is back with new purposes," noted researchers.
RLO spoofing was once a popular method for masquerading malware in attachments. Vade researchers said the technique is now being used for phishing Microsoft 365 business users to access a business' data.
One RLO attack observed by the team involved an email sent with what appeared to be a voicemail .mp3 attachment.
"This kind of scam preys on the curiosity of the recipient, who is not expecting a voicemail, and who maybe intrigued enough to click the phishing link in the body of the email or the attachment, which is often an html file," noted researchers.
Clicking on the .mp3 attachment leads the victim to a spoofed Microsoft login webpage.
"Most likely attackers are taking advantage of the COVID-19 pandemic, with the expansion of remote working," hypothesized the analysts, who also noted that "RLO spoofing attachments is more convincing with the lack of interpersonal communication due to teleworking."