This report is about a new phishing campaign that uses a unique method of obfuscation to avoid detection by traditional security appliances. The method of obfuscation is Morse code which is used to hide URLs. Given its ability to successfully bypass security tooling this campaign is quite dangerous if a user is socially engineered.
The encoded text looks like this:
The file pulls external elements from the encoded malicious URL which then displays the phishing page if the file is opened with no editing software. The web page is asking for the user’s Office365 credentials saying that the session has timed out. If the user enters their Active Directory credentials into the page they are sent off to the bad actor. The web page comes complete with the recipient’s organization logo, but if the logo cannot be found it will provide the generic Office 365 one.
It is highly encouraged that you block any attachment file names with a double extension using the mail security gateway. Consider ensuring that Windows file extensions are enabled to help users spot a phishing attempt. Invest in routine security awareness training that includes a robust section on avoiding social engineering situations.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.