In the latest string of evolving sophisticated phishing attacks, Microsoft has revealed hackers are using a new tactic—Morse code to evade detection.
After a year-long investigation, Microsoft 365 Defender Threat Intelligence Team discovered an unknown cybercriminal group was harvesting user credentials via an invoice-themed XLS.HTML phishing campaign.
The attachment is comparable to a jigsaw puzzle; segments of the HTML file may appear harmless at code level and may slip past conventional security solutions. “When the segments are put together and properly decoded does the malicious intent show,” writes Microsoft in a blog post.
The XLS.HTML phishing campaign sent emails mimicking financial-related business transactions, such as a payment advice. The attachment is an HTML file, but the extension is modified using a variation of Excel like type files; xls.HTML, xslx.HTML, Xls.html, etc.
Unbeknownst victims are prompted to open the excel file. Once it’s opened, a browser window will display a fake Microsoft 365 dialog box to enter credentialed information, such as email address and password.
If the user enters their credentials, they’ll receive a fake note that the password is incorrect. Meanwhile, the phishing scheme is running in the background harvesting the password and other information about the user.
Microsoft recommends IT teams should perform the following to reduce impact of this phishing attack:
- Use mail flow rules or Group Policy for Outlook to strip .html or .htm or other file types that are not required for business.
- Turn on Safe Attachments policies to check attachments to inbound email. Enable Safe Links protection for users with zero-hour auto purge to remove emails when a URL gets weaponized post-delivery.
- Avoid password reuse between accounts and use multi-factor authentication (MFA).
- Educate end users on phishing tactics as part of security or phishing awareness training.
Additionally, you can look for alerts within the Microsoft 365 Security Center for emails delivered with xslx.html/xls.html attachments.
To locate specific attachments related to this campaign, run the following query:
// Searches for email attachments with a specific file name extension xls.html/xslx.html
| where FileType has “html”
| where FileName endswith_cs “._xslx.hTML” or FileName endswith_cs “_xls.HtMl” or FileName endswith_cs “._xls_x.h_T_M_L” or FileName endswith_cs “_xls.htML” or FileName endswith_cs “xls.htM” or FileName endswith_cs “xslx.HTML” or FileName endswith_cs “xls.HTML” or FileName endswith_cs “._xsl_x.hTML”
| join EmailEvents on $left.NetworkMessageId == $right.NetworkMessageId
| where EmailDirection == “Inbound”