Researchers at Microsoft have released the details of phishing campaigns they have been monitoring since July 2020. The attacks have focused on stealing victims’ credentials, passwords, IP addresses, and location data. The attacks use standard social engineering to trick victims into opening a malicious HTML file attached to an email, disguised to appear as if it were an Excel file using a double extension (.XLS.HTML). Once open, the victims see a fake Microsoft O365 credentials dialog box on a blurred Excel document. The real interest of these attacks lies in how the attackers have tried to obfuscate and evade detection by dividing the JavaScript code in the HTML attachment into several segments before encoding them. Some of the code segments are not present in the attachments themselves and instead reside in open directories as encoded scripts. By doing this, the attachment is like a “Jigsaw Puzzle” says Microsoft. On their own, the individual segments of the HTML files may appear harmless at the code level and may not be detected by security controls, but once put together and properly decoded the malicious intent is apparent. Microsoft has observed multiple iterations featuring various encoding mechanisms and techniques, including the hosting of segments on third-party sites and the use of Morse code.
Analyst Notes
Constantly changing, multi-layer obfuscation techniques like these require dynamic threat protection. Companies should educate employees on how to spot phishing attacks that are targeting them in an attempt to stop people from clicking on malicious links. A defense-in-depth strategy should be used when safeguarding environments including the use of monitoring such as Binary Defense’s Managed Detection and Response, which will help identify an attack and mitigate it before it can spread. The Threat Hunting team at Binary Defense is a great asset to be utilized to comb through environments and search for any attacks that may have bypassed routine security solutions. As always, no one should ever reuse passwords across multiple accounts and should utilize Multi-Factor Authentication (MFA) through a third-party application to better secure accounts.
https://www.microsoft.com/security/blog/2021/08/12/attackers-use-morse-code-other-encryption-methods-in-evasive-phishing-campaign/
https://www.microsoft.com/security/blog/2021/08/12/attackers-use-morse-code-other-encryption-methods-in-evasive-phishing-campaign/
