Threat Actors Revive 20-Year-Old Tactic in Microsoft 365 Phishing Attacks

Recent attacks involving so-called "right-to-left override" spoofing aimed at Microsoft 365 users show how attackers sometimes modify and improve old methods to try and stay one step ahead of defenders.

4 Min Read
Cubes with letters forming the word unicode
Source: Dominik Bruhn via Shutterstock

A technique that threat actors first used some 20 years ago to trick users into executing malicious files appears to be making a comeback.

Security vendor Vade on Tuesday said its researchers had spotted more than 400 attacks in the past two weeks employing the method — called right-to-left override (RLO) — in a phishing campaign targeting Microsoft 365 users. Just two out of 58 malware detection tools on VirusTotal were able to detect the threat, Vade said.

In an RLO attack, adversaries take advantage of a specific non-printing Unicode character, [U+202e], to disguise extensions so users get tricked into executing malicious files. U+202e is an RLO Unicode character that, when used before a particular word or piece of text, changes all subsequent text to be displayed right-to-left, as is needed to support Hebrew and Arabic languages. For example, when the character is used before the word "Vade," the text would be displayed as "edaV."

In the past, attackers have taken advantage of the Unicode character to disguise executable files. Vade pointed to how attackers would use U+202e in an executable file like "abctxt.exe," for example, so it would appear as the more benign looking "abcexe.txt." To achieve this, Vade said, the adversary would only need to insert U+202e into the string this way: "abc [U+202e] txt.exe"

Over the years, attacker interest in the technique waned as detection mechanisms improved. But in recent months, some adversaries have begun reusing the technique. Last August, the Health Information Sharing and Analysis Center (H-ISAC) issued an advisory warning about threat actors using the right-to-left-override character to obfuscate malicious files and deliver the Cobalt Strike toolkit on systems belonging to organizations in the healthcare sector.

"Modifying and improving old techniques to adapt to today's environments is common among attackers, who are always looking for new ways to break through," says Adrien Gendre, chief technology and product officer as well as co-founder of Vade.

In the campaign that the security vendor recently observed, adversaries employed the RLO technique to try to trick email recipients into believing they were opening an audio file when clicking on the file actually took them to a credential phishing site instead. 

For the scam, the attackers sent Microsoft 365 users an email notification inviting them to access an attached voicemail file. The email subject contained the recipient's actual name, and other aspects of the email looked genuine as well, such as the date and time. The attached file, too, ended with either an ".mp3" or a ".wav" file extension, which is what a user would normally expect with an audio file. However, clicking on it would only lead the user to an apparent Microsoft login page that sought to make the user enter their password.

"Previous attacks popular in the '90s and early 2000s used RLO spoofing to conceal executable malware files," Gendre says. "The recent RLO campaign uses the technique to disguise an html file, which includes a link to a phishing page, as an MP3 file that the user believes is a voicemail message."

Few security tools were able to detect the scam because they are designed to scan for IP and domain reputations and known malware signatures. "[With] the recent attacks, the attachments do not include known malware code but instructions in the html file to open a phishing page," he notes.

More Trouble on the Horizon?

Vade's report points to another report that researchers at Cambridge University published last November about a vulnerability they discovered in the Unicode specification (CVE-2021-42574) that gives attackers a way to disguise and insert malicious code into software during the development phase. The vulnerability allows attackers to use certain Unicode characters, including the RLO (U+202e) character, to basically reorder code that would change its logic while still retaining visual and semantic correctness. "Adversaries can leverage this deception to commit vulnerabilities into code that will not be seen by human reviewers," the two Cambridge University researchers wrote.

"A developer with access to source code could encode source code with this technique," Gendre says. "Also, as we saw with the SolarWinds attack, it could come from outside the organization via a breach."

Another vulnerability in the Unicode specification that the researchers discovered (CVE-2021-42694) gives attackers a way to use characters that appear near identical to each other — or homoglyphs — to inject malicious code during software development, which is almost impossible to detect visually.

Gendre notes that one way organizations can mitigate risk from these vulnerabilities is to ban text directionality in compilers and language specifications.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights