A new targeted phishing campaign includes the new confusion technique of using Morse code to hide malicious URLs in an email attachment.
Samuel Morse and Alfred Vail invented the Morse code as a way to transmit messages over telegraph lines. When using Morse code, each letter and number is coded as a series of dots (short sound) and hyphens (long sound).
Starting last week, a threat player began using Morse code to hide malicious URLs in their phishing scams to bypass secure email portals and email filters.
BleepingComputer could not find any Morse code references previously used in phishing attacks, making this a new confusion technique
The novel Morse code phishing attack
After first learning about this attack from a post on Reddit, BleepingComputer was able to find more examples of the targeted attack that has been uploaded to VirusTotal since February 2, 2021
The phishing attack starts with an email claiming to be an invoice for the company with a mail item such as “Revenue_payment_invoice February_Wednesday 02/03/2021.”
This email includes an HTML attachment named in such a way that it appears to be an Excel invoice for the company. These attachments are named in the format ‘[company_name]_invoice_[number]._xlsx.hTML. ‘
For example, if BleepingComputer was targeted, the attachment would be named ‘bleepingcomputer_invoice_1308._xlsx.hTML.’
These injected scripts combined with the HTML attachment contain the various resources needed to render a fake Excel spreadsheet indicating that their login was timed out and asking them to re-enter the password.
Once a user has entered their password, the form will send the password to a remote website where attackers can collect the login information.
This campaign is highly targeted, with the threat actor using the logo.clearbit.comservice to insert logos for the recipient’s companies in the login form to make it more compelling. If a logo is not available, it uses the general Office 365 logo, as shown in the image above.
BleepingComputer has seen eleven companies targeting this phishing attack, including SGS, Dimensional, Metrohm, SBI (Mauritius) Ltd, NUOVO IMAIE, Bridgestone, Cargeas, ODDO BHF Asset Management, Dea Capital, Equinti and Capital Four.
Phishing scams are becoming more intricate every day as mail portals become better at detecting malicious emails.
Because of this, everyone needs to be careful about URLs and attachment names before submitting information. If something looks suspicious, recipients should contact your network administrator to investigate further.
Because this phishing email uses dual-extension attachments (xlxs and HTML), it’s important to make sure that Windows file extensions are enabled to help detect suspicious attachments.