- Microsoft noticed the use of Morse code in a year-long phishing campaign that went through several method changes.
- The actors tried many things to evade detection and increase their success rates, but Morse code wasn’t very effective.
- Simply setting HTML files to be stripped in your inbox policies would render these phishing efforts impotent.
It appears that phishing actors rotate their encryption and obfuscation methods so frequently that passing through some classics like using Morse code is inevitable even if it has been proven to be largely ineffective multiple times in the recent past. As Microsoft’s Threat Intelligence team reports, phishing campaigns change tricks every 37 days on average, testing out new obfuscation methods and evaluating them based on the success rates against the targets. Microsoft followed a particular campaign from July 2020 to July 2021, recording the following evolution in the actors’ methods.
Apart from the actual phishing that typically involved the abuse of Office 365 logos and login prompts, the actors also delivered an info-stealing module starting in May 2021, which was capable of fetching credentials automatically, as well as the user’s IP address and country data. In some cases, Microsoft noticed the actors using the organization's logo the target worked for, so there was clearly some level of reconnaissance operations involved, too, depending on the perceived value of the victim.
To stay safe against these attacks, set your mail flow rules or Group Policy for Outlook to strip .HTML and .HTM file types that aren’t required for business anyway, turn on “Safe Attachments” and “Safe Links,” and finally activate 2FA on your account.