Microsoft experts talked about a malicious campaign that has been going on for about a year. According to them, hackers change obfuscation and encryption mechanisms on average every 37 days, including using Morse code to hide their tracks and steal user credentials.
Typically, phishers’ lures are disguised as invoices related to financial business transactions, and the emails contain an HTML file (“XLS.HTML”). The ultimate goal of attackers is to collect user credentials, which are then used as a starting point for attacks.
Microsoft compares the campaign to a complex jigsaw puzzle, noting that parts of HTML files look harmless and elude security products, but are then pieced together and decoded to reveal their true purpose.
Opening a malicious attachment opens a browser window displaying a dummy window for entering Microsoft Office 365 credentials (on top of a blurry Excel document). In this window, the user is urged to sign in again because his access to the Excel document has supposedly expired. If a person falls for the bait of scammers and enters a password, he receives a message that the entered password is incorrect, while in fact the malware steals data unnoticed.
The researchers report that these attacks began in July 2020, and since then, the campaign has undergone about ten iterations, during which the attackers changed their encoding methods to disguise malicious HTML attachments.
Let me remind you that in February of this year, Bleeping Computer warned about the use of Morse code by phishers.