New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Threat Actor Uses Morse Code to Hide Malicious JavaScript from Email Threat Scanners

On February 6th, a Reddit user on the r/sysadmin subreddit posted a link to a malicious HTML file sent in a recent phishing campaign, describing how it bypassed email threat detections by utilizing Morse code to hide links to embedded JavaScript files. Soon afterward, many other researchers caught wind of the encoding technique and were able to find the file and made the sample more widely available. The Morse code was only the initial obfuscation technique and was used to list links to two JavaScript files that will set up the phish by providing the style sheet and then the password form’s markup. The form was built with a lure designed to tell the user they needed to input their Office365 credentials to access a document. When the form was filled and submitted, the information was sent to another remote site for collection.

Analyst Notes

This phishing campaign demonstrates the lengths attackers have to go to bypass filtering. Due to the attacker’s operational security, this campaign’s effectiveness is unknown, but the important note is that outlier techniques may continue to pop up. The amount of work that the operators have to put in is more significant than creating detections. Enabling Windows file extensions will help prevent this phish from getting through as it utilized a double file extension (._xsl_x.hTML). Continuous user education with examples about threats they may see can also contribute to a safer and trusted environment where users feel comfortable reporting threats. Making sure that the proper logging from Exchange and Office365 are being shipped to a SIEM and analyzed for suspicious patterns will also help during an incident should a user submit sensitive information to a phish.

New phishing attack uses Morse code to hide malicious URLs (
Original Reddit Post (
Morse code – Twitter Search / Twitter