Two decades-old Microsoft 365 phishing attacks return in a big way

Leading email security vendor Vade warned that cybercriminals had revived a two-decades-old phishing tactic to target Microsoft 365 users with phishing emails in a big way in recent weeks.

 

This vintage phishing technique, known as the right-to-left override (RLO) attack, is intended to trick Microsoft 365 users into clicking on a file attachment and exposing their credentials and business data by disguising the file’s extension.

 

According to cybersecurity researchers at Vade, which has been tracking the RLO tactic since 2018, if the user ignores the file extension and considers the email’s context to determine if it’s legitimate, it is easy to fall into the trap. When victims open the files, they are prompted to enter their Microsoft 365 login information in a spoofed webpage.

 

The threat analyst team at Vade has identified more than 400 different RLO spoofing campaigns over the past two weeks. Each campaign consists of emails that share unique characteristics, and a single campaign can include hundreds or thousands of emails to users. The team saw one RLO attack in which an email was sent with what appeared to be a voicemail.mp3 attachment. Clicking on the .mp3 attachment leads the victim to a spoofed Microsoft login webpage.

 

In 2008, RLO spoofing was referenced in the Mozilla Foundation and Unicode technical reports as CVE-2009-3376, and it was once a popular method for masquerading malware in attachments. The technique has been used to hide the “.exe” extension in a file, allowing a user to open a malicious executable file while thinking they were opening a.txt file. This scam preys on recipients’ curiosity, which leads them to click the phishing link in the email’s body or attachment.

 

Notably, most CISO Role do not detect RLO attachments as malicious, so companies will have to rely on employees’ awareness of the trick and phishing training to reduce the risk of these attacks. According to researchers, the malicious activity using RLO picked up in 2020 and 2021 with the shift to remote work.

 

Meanwhile, in a statement provided to a media film, Microsoft encouraged customers to practice good computing habits online, such as exercising caution while opening unknown files, clicking on links to web pages, or accepting file transfers.