Researchers at Microsoft have released the details of phishing campaigns they have been monitoring since July 2020. The attacks have focused on stealing victims’ credentials, passwords, IP addresses, and location data. The attacks use standard social engineering to trick victims into opening a malicious HTML file attached to an email, disguised to appear as if it were an Excel file using a double extension (.XLS.HTML). Once open, the victims see a fake Microsoft O365 credentials dialog box on a blurred Excel document. The real interest of these attacks lies in how the attackers have tried to obfuscate and evade detection by dividing the JavaScript code in the HTML attachment into several segments before encoding them. Some of the code segments are not present in the attachments themselves and instead reside in open directories as encoded scripts. By doing this, the attachment is like a “Jigsaw Puzzle” says Microsoft. On their own, the individual segments of the HTML files may appear harmless at the code level and may not be detected by security controls, but once put together and properly decoded the malicious intent is apparent. Microsoft has observed multiple iterations featuring various encoding mechanisms and techniques, including the hosting of segments on third-party sites and the use of Morse code.