In a year-long campaign, attackers used social engineering techniques to gather user credentials and Morse code to cover up their tracks. The operators kept changing their obfuscation and encryption mechanisms every 37 days on average, Microsoft said in a post detailing the new campaign.
These attacks are usually carried out by sending emails talking about invoicing and containing a link to an HTML file, which mimics a financial transaction. The goal of the attackers is to steal usernames and passwords for later infiltration.
Microsoft described the attachment as a jigsaw puzzle composed of multiple individual parts that are designed to appear innocuous on their own but will be combined into a malicious code. The company did not identify those behind the attack.
“This phishing campaign exemplifies the modern email threat: sophisticated, evasive, and relentlessly evolving,” Microsoft 365 Defender Threat Intelligence Team said in an analysis. “The HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms.
The campaign, which was first discovered in July 2020, has been continuously updated with new variants and has gone through 10 alterations.
These attackers used various encoding techniques to hide the details of the attacks. One of them was the good old Morse code, the use of which Microsoft detected in the February and May 2021 attacks:
“These attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code, to hide these attack segments.”
The attachment opens a browser window that displays a fake Excel document with a fake Office 365 credentials dialog box. The dialog box shows a message that says that the recipients’ access to the Excel document has allegedly timed out. When the user enters the password, the system will alert the individual that it was incorrect, while the malware will secretly harvest the details in the background.
“Email-based attacks continue to make novel attempts to bypass email security solutions,” the researchers said. “In the case of this phishing campaign, these attempts include using multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript. Multilayer obfuscation in HTML can likewise evade browser security solutions.
