Microsoft has reported a sophisticated year-long phishing campaign characterized by a remarkable ability to evade detection. The attackers exhibited a pattern of altering their obfuscation and encryption strategies approximately every 37 days, employing various techniques, including Morse code, to obscure their activities while extracting user credentials.
The phishing attempts typically employed invoice-themed emails designed to resemble legitimate financial transactions. Each communication contained an HTML file labeled “XLS.HTML,” with the primary aim of capturing usernames and passwords, allowing the attackers to gain entry for future infiltration.
Microsoft described the attachment’s structure as a “jigsaw puzzle,” noting that its various components are crafted to seem harmless, thereby evading endpoint security solutions. These segments only reveal their true intentions when they are decoded and pieced together. The identities of the perpetrators remain undisclosed.
“This phishing campaign exemplifies the evolving threat landscape of email-based attacks – sophisticated, evasive, and continuously adapting,” stated the Microsoft 365 Defender Threat Intelligence Team in their analysis. They highlighted that the HTML attachment is fragmented into segments that include JavaScript files designed to compromise passwords, employing increasingly complex encoding methods to bury the malicious components. The attackers transitioned from basic HTML to more intricate encoding techniques, employing historical means like Morse code.
Opening the attachment triggered a fake Microsoft Office 365 credential prompt overlaid on a blurred Excel document. Recipients were compelled to re-enter their credentials due to a fabricated message indicating that their session had expired. In instances where users complied, they were misinformed that their input was incorrect, while the malware discreetly collected their sensitive information.
Since its emergence in July 2020, the campaign has reportedly undergone ten iterations, with adversaries continuously adjusting their encoding tactics to disguise the HTML attachment’s malicious intent. Microsoft observed the use of Morse code during specific phases of the attacks in early 2021, with newer versions redirecting victims to authentic Office 365 pages instead of presenting a fake error message post-password entry.
Researchers noted, “Email-based attacks consistently explore new methods to circumvent security measures.” In this case, their approach involved multilayer obfuscation and various encryption techniques targeting familiar file types, notably JavaScript. These advanced evasion strategies demonstrate the attackers’ capabilities to outmaneuver conventional browser security systems.
