A classic phishing tactic using mislabeled files is being used to deceive Microsoft 365 users into revealing their credentials. Malicious actors are dusting off Right-to-Left Override (RLO) attacks to fool victims into running files with altered extensions, as per cybersecurity researchers at Vade. Victims are requested to enter their Microsoft 365 login details when they open the files.
In the previous two weeks, Vade's threat analysis team has discovered more than 200 RLO attacks targeting Microsoft 365 users. The technique of assault was:
Within the Unicode encoding system, the RLO character [U+202e] is a special non-printing character. The symbol was created to support languages like Arabic and Hebrew, which are written and read from right to left.
The special character, which can be found in the Windows and Linux character maps, can be used to mask the file type. The executable file abc[U+202e]txt.exe, for example, will display in Windows as abcexe.txt, misleading people to believe it is a.txt file.
The threat has been present for more than a decade, and CVE-2009-3376 was first identified in 2008 in Mozilla Foundation and Unicode technical reports.
"While Right-to-Left Override (RLO) attack is an old technique to trick users into executing a file with a disguised extension, this spoofing method is back with new purposes," noted researchers.
RLO spoofing was previously a common technique for hiding malware in attachments. According to Vade researchers, the approach is currently being used to phish Microsoft 365 business users in order to gain access to a company's data. The team encountered one RLO attack in which an email was delivered with what seemed to be a voicemail.mp3 attachment.
Researchers stated, "This kind of scam preys on the curiosity of the recipient, who is not expecting a voicemail, and who maybe intrigued enough to click the phishing link in the body of the email or the attachment, which is often an html file."
"Most likely attackers are taking advantage of the COVID-19 pandemic, with the expansion of remote working," hypothesized the analysts, who also noted that "RLO spoofing attachments is more convincing with the lack of interpersonal communication due to teleworking."
