Join today’s leading executives online at the Data Summit on March 9th. Register here.
Attackers targeting Microsoft 365 users with phishing emails have been turning to an old tactic in a big way in recent weeks — and the technique is so sneaky that it’s “easy” for users to fall prey, according to email security vendor Vade.
The technique — known as the right-to-left override (RLO) attack — goes back two decades. It’s intended to trick Microsoft 365 users into clicking on a file attachment by disguising the file’s extension.
“If the user doesn’t pay attention to the extension and consider the context of the email to determine if it’s legitimate, it is easy to fall into the trap,” said Antoine Morel, cybersecurity pre-sales engineer at Vade, in an email to VentureBeat.
Phishing continues to be a common, and often disastrous, form of cyber attack. Findings from Proofpoint show that in the event of a successful phishing attack, 60% of organizations end up losing data, while 52% suffer a compromise of credentials or accounts. Meanwhile, nearly half of organizations — 47% — end up infected with ransomware as a result of a successful phishing attack, Proofpoint reported.
Overall, 24% of ransomware attacks derive from a phishing email, according to a report from Cloudian.
A revived tactic
When it comes to the RLO attack technique, spoofing the extension of a file is possible because of a special Unicode character, the right-to-left override. When used, the character reverses subsequent text to display from right to left — the opposite of English.
In the past, the tactic has been used to disguise the “.exe” extension in a file — so that a user who thought they were opening a .txt file, for instance, actually opened a malicious executable file, Vade says.
The recent wave of RLO attacks has evolved to try to trick users with a more current type of file extension — .mp3 — which is presented as being a voicemail, the email security vendor said.
In one iteration of the attack, clicking on the file attachment leads the user to a webpage, which asks them to enter their credentials in order to access the voicemail, Vade says.
However, “each RLO spoofing attack is unique, and attackers are using different headers, senders, subjects, and attachments to pass through basic security protection,” the company said in a blog post today.
While users who aren’t paying attention can easily fall for this, “it is also easy to detect the trick, like opening an .mp3 file leads to a Microsoft login webpage,” Morel said. “This type of spoofing is particularly dangerous and more likely to succeed for people not aware of this masquerading process and not careful with analyzing emails in general.”
‘Significant’ wave of attacks
Vade says it has observed more than 400 different RLO spoofing campaigns over the past two weeks. Each campaign consists of a set of emails that share unique characteristics with each other, and a single campaign can include hundreds or thousands of emails to users.
Thus, 400 different campaigns during a two-week period “is a significant number when you know that one campaign can affect a lot of users, in one or several companies,” Morel said.
Most security vendors aren’t detecting the RLO attachments as malicious, so companies will need to rely on employees’ awareness of the trick, and ideally practice phishing training, to reduce the risk of these attacks, he said.
Vade has been tracking the RLO tactic since 2018, but malicious activity using it picked up in 2020 and 2021 with the shift to remote work, Morel said. “Hackers are most likely taking advantage of the pandemic and the teleworking context, when users are less vigilant and protected by the company’s security tools,” he said.
Ultimately, RLO “is an old technique, but as long as people are unaware of the threat, attackers will continue to use it and reinvent it,” Vade said in its blog.