Hackers are using Morse code to bypass phishing controls

Finger pressing a Morse code receiver
(Image credit: Shutterstock)

Hackers used Morse code to evade detection in a year-long phishing campaign, according to Microsoft researchers.

Researchers said the campaign, first spotted in July 2020, targeted Office 365 users and attempted to get them to hand over credentials using targeted, invoice-themed XLS.HTML attachments. The cyber criminals faked invoices in Excel HTML or web documents to distribute forms to steal information.

According to researchers, the campaign’s primary goal is to harvest usernames, passwords, and - in its more recent iteration - other information like IP address and location, which attackers use as the initial entry point for later infiltration attempts.

"The XLS.HTML phishing campaign uses social engineering to craft emails mimicking regular financial-related business transactions, specifically sending what seems to be vendor payment advice. In some of the emails, attackers use accented characters in the subject line," said researchers.

Researchers said that using XLS in the attachment file name prompts users to expect an Excel file. When the victim opens the attachment, it launches a browser window and displays a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document. “Notably, the dialog box may display information about its targets, such as their email address and, in some instances, their company logo.”

Researchers added that hackers changed obfuscation and encryption mechanisms every 37 days on average, “demonstrating high motivation and skill to constantly evade detection and keep the credential theft operation running.” What stood out in this campaign was the level of obfuscation deployed.

RELATED RESOURCE

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

FREE DOWNLOAD

"In the case of this phishing campaign, these attempts include using multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript. Multilayer obfuscation in HTML can likewise evade browser security solutions," said researchers.

One unusual obfuscation technique was the use of Morse code. Hackers used this in the February ("Organization report/invoice") and May 2021 ("Payroll") waves of the campaign.

"In the February iteration, links to the JavaScript files were encoded using ASCII then in Morse code. Meanwhile in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code,” researchers said.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.