Modern Email Threat: Morse Code Used in Phishing Attacks

Modern Email Threat: Morse Code Used in Phishing Attacks

Microsoft has revealed that cybercriminals are changing tactics as fast as security and protection technologies do, with the latest tactic: The use of Morse code in phishing attacks.

In the blog post "Attackers use Morse code, other encryption methods in evasive phishing campaign," Microsoft 365 Defender Threat Intelligence Team said that a year-long investigation found a targeted, invoice-themed XLS.HTML phishing campaign in which the attackers changed obfuscation and encryption mechanisms every 37 days on average, showing high motivation and skill level in order to constantly evade detection and keep the malicious operation running.

The phishing campaign’s primary goal, Microsoft 365 Defender Threat Intelligence Team said, is to harvest sensitive data such as usernames, passwords, IP addresses, and location – information that attackers can use as an initial entry point for later infiltration attempts.

In a phishing attack, attackers masquerade as a trusted entity and trick a victim into opening an email with a malicious attachment. In the phishing campaign observed for a year by Microsoft 365 Defender Threat Intelligence Team, the attackers initially sent out emails to targeted victims about a bogus regular financial-related business transaction, specifically sending a vendor payment advice.

According to Microsoft 365 Defender Threat Intelligence Team, the malicious email contains HTML file attachment with “xls” file name variations. An attachment with xls file name ordinarily means it’s an Excel file. Opening this attachment, however, leads to a fake Microsoft Office 365 credentials dialog box, and lately to a legitimate Office 365 page.

Entering one’s username and password into the fake Microsoft Office 365 credentials dialog box or legitimate Office 365 page leads to the activation of the attackers’ phishing kit – harvesting the user’s username, password, and other information about the user.

According to Microsoft 365 Defender Threat Intelligence Team, the malicious HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. “Some of these code segments are not even present in the attachment itself,” Microsoft 365 Defender Threat Intelligence Team said. “Instead, they reside in various open directories and are called by encoded scripts. In effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions. Only when these segments are put together and properly decoded does the malicious intent show.”

Morse Code

Named after one of the inventors of the telegraph Samuel Morse, Morse Code is a code for translating letters to dots and dashes.

According to Microsoft 365 Defender Threat Intelligence Team, in place of the plaintext HTML code, the attackers used Morse code – dots and dashes – to hide the attack segments.

The use of Morse code in phishing attacks was first reported by u/speckz on Reddit last February. Lawrence Abrams of Bleeping Computer followed up the initial report of u/speckz. Abrams said Morse code was used by a threat actor to hide malicious URLs in their phishing campaign to bypass secure mail gateways and mail filters.

When viewing the HTML attachment in a text editor, Abrams said, instead of the plaintext HTML code, Morse code is placed instead with dots and dashes. For instance, the letter “a” is written in “.-” and the letter 'b' is written in “-…”.

“The script then calls a decodeMorse() function to decode a Morse code string into a hexadecimal string,” Abrams said. “This hexadecimal string is further decoded into JavaScript tags that are injected into the HTML page. These injected scripts combined with the HTML attachment contain the various resources necessary to render a fake Excel spreadsheet that states their sign-in timed out and prompts them to enter their password again. Once a user enters their password, the form will submit the password to a remote site where the attackers can collect the login credentials.”

According to the Microsoft 365 Defender Threat Intelligence Team, Morse code was observed in the February (“Organization report/invoice”) and May 2021 (“Payroll”) waves. In the February phishing campaign, the Team said links to the JavaScript files were encoded using ASCII then in Morse code. In May, the Team added that the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code.

Cybersecurity Best Practices

The changing tactics and speed that cybercriminals use to update their obfuscation and encoding techniques in launching their phishing campaigns via Office 365 environment call for the following cybersecurity best practices:

• Use Office 365 Group Policy or mail flow rules for Outlook to clean .htm or .html or other file types that aren’t needed for business operation.
• Enable Safe Attachments policies to check attachments to inbound email.
• Turn on Safe Links protection for users with zero-hour auto purge to remove emails in case attackers weaponized a URL post-delivery.
• Use multi-factor authentication (MFA).
• Avoid password reuse between accounts.
• Make consent phishing tactics as part of security or phishing awareness training.
• Enable network protection to block connections to malicious domains and IP addresses.

To better protect your organization against modern threats and mitigate cyber risks, schedule a consultation with one of our cybersecurity experts today.