Thought leadership. Threat analysis. Cybersecurity news and alerts.
Modern Email Threat: Morse Code Used in Phishing Attacks
Microsoft has revealed that cybercriminals are changing tactics as fast as security and protection technologies do, with the latest tactic: The use of Morse code in phishing attacks.
In the blog post "Attackers use Morse code, other encryption methods in evasive phishing campaign," Microsoft 365 Defender Threat Intelligence Team said that a year-long investigation found a targeted, invoice-themed XLS.HTML phishing campaign in which the attackers changed obfuscation and encryption mechanisms every 37 days on average, showing high motivation and skill level in order to constantly evade detection and keep the malicious operation running.
The phishing campaign’s primary goal, Microsoft 365 Defender Threat Intelligence Team said, is to harvest sensitive data such as usernames, passwords, IP addresses, and location – information that attackers can use as an initial entry point for later infiltration attempts.
In a phishing attack, attackers masquerade as a trusted entity and trick a victim into opening an email with a malicious attachment. In the phishing campaign observed for a year by Microsoft 365 Defender Threat Intelligence Team, the attackers initially sent out emails to targeted victims about a bogus regular financial-related business transaction, specifically sending a vendor payment advice.
According to Microsoft 365 Defender Threat Intelligence Team, the malicious email contains HTML file attachment with “xls” file name variations. An attachment with xls file name ordinarily means it’s an Excel file. Opening this attachment, however, leads to a fake Microsoft Office 365 credentials dialog box, and lately to a legitimate Office 365 page.
Entering one’s username and password into the fake Microsoft Office 365 credentials dialog box or legitimate Office 365 page leads to the activation of the attackers’ phishing kit – harvesting the user’s username, password, and other information about the user.
Named after one of the inventors of the telegraph Samuel Morse, Morse Code is a code for translating letters to dots and dashes.
According to Microsoft 365 Defender Threat Intelligence Team, in place of the plaintext HTML code, the attackers used Morse code – dots and dashes – to hide the attack segments.
The use of Morse code in phishing attacks was first reported by u/speckz on Reddit last February. Lawrence Abrams of Bleeping Computer followed up the initial report of u/speckz. Abrams said Morse code was used by a threat actor to hide malicious URLs in their phishing campaign to bypass secure mail gateways and mail filters.
When viewing the HTML attachment in a text editor, Abrams said, instead of the plaintext HTML code, Morse code is placed instead with dots and dashes. For instance, the letter “a” is written in “.-” and the letter 'b' is written in “-…”.
Cybersecurity Best Practices
The changing tactics and speed that cybercriminals use to update their obfuscation and encoding techniques in launching their phishing campaigns via Office 365 environment call for the following cybersecurity best practices:
To better protect your organization against modern threats and mitigate cyber risks, schedule a consultation with one of our cybersecurity experts today.
Steve E. Driz, I.S.P., ITCP