IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers are using Morse code to bypass phishing controls

JavaScript files were encoded in ASCII then in Morse to hide code

Hackers used Morse code to evade detection in a year-long phishing campaign, according to Microsoft researchers.

Researchers said the campaign, first spotted in July 2020, targeted Office 365 users and attempted to get them to hand over credentials using targeted, invoice-themed XLS.HTML attachments. The cyber criminals faked invoices in Excel HTML or web documents to distribute forms to steal information.

According to researchers, the campaign’s primary goal is to harvest usernames, passwords, and - in its more recent iteration - other information like IP address and location, which attackers use as the initial entry point for later infiltration attempts. 

"The XLS.HTML phishing campaign uses social engineering to craft emails mimicking regular financial-related business transactions, specifically sending what seems to be vendor payment advice. In some of the emails, attackers use accented characters in the subject line," said researchers.

Researchers said that using XLS in the attachment file name prompts users to expect an Excel file. When the victim opens the attachment, it launches a browser window and displays a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document. “Notably, the dialog box may display information about its targets, such as their email address and, in some instances, their company logo.”

Researchers added that hackers changed obfuscation and encryption mechanisms every 37 days on average, “demonstrating high motivation and skill to constantly evade detection and keep the credential theft operation running.” What stood out in this campaign was the level of obfuscation deployed.

Related Resource

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Prevent fraud and phishing attacks with DMARC - whitepaper from MimecastFree download

"In the case of this phishing campaign, these attempts include using multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript. Multilayer obfuscation in HTML can likewise evade browser security solutions," said researchers.

One unusual obfuscation technique was the use of Morse code. Hackers used this in the February ("Organization report/invoice") and May 2021 ("Payroll") waves of the campaign.

"In the February iteration, links to the JavaScript files were encoded using ASCII then in Morse code. Meanwhile in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code,” researchers said.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Microsoft blocking Tutanota users from Teams registration, claims fix unfeasible
Business operations

Microsoft blocking Tutanota users from Teams registration, claims fix unfeasible

8 Aug 2022
Microsoft wins five-year digital transformation deal with Australia’s largest telco
digital transformation

Microsoft wins five-year digital transformation deal with Australia’s largest telco

26 Jul 2022
Slack Connect vs Microsoft Teams Connect: Better than email?
collaboration

Slack Connect vs Microsoft Teams Connect: Better than email?

20 Jul 2022
Microsoft announces simulator for autonomous aircraft development
Cloud

Microsoft announces simulator for autonomous aircraft development

20 Jul 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022