Overview of TIR-20210221
This report is about a new phishing campaign that uses a unique method of obfuscation to avoid detection by traditional security appliances. The method of obfuscation is Morse code which is used to hide URLs. Given its ability to successfully bypass security tooling this campaign is quite dangerous if a user is social engineered.
Tactics, Techniques, and Procedures
The encoded text looks like this:
The file pulls external elements from the encoded malicious URL which then displays the phishing page if the file is opened with no editing software. The web page is asking for the user’s Office365 credentials saying that the session has time out. If the user enters their Active Directory credentials into the page they are sent off to the bad actor. The web page comes complete with recipient’s organization logo, but if the logo cannot be found it will provide the generic Office 365 one.
Business Unit Impact
- May lead to the loss of credentials which can be abused.
- Could provide lateral movement opportunities with minimal effort depending on the user’s level of access.
- Has the potential to allow for a network wide compromise by a highly resourceful threat actor.
It is highly encouraged that you block any attachment file names with a double-extension using the mail security gateway. Consider ensuring that Windows file extensions are enabled to help users spot a phishing attempt. Invest in routine security awareness training that includes a robust section on avoiding social engineering situations.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.