At The Identity Organisation, we're here to help!

    Or drop us a mail!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    20 Year-Old “Right-to-Left Override” Functionality Used in Attacks to Trick Microsoft 365 Users Out of Credentials

    20 Year Old Functionality Used in Attacks

    Used to disguise malicious file extensions, this legacy functionality is being repurposed in attacks to obfuscate attachment types and steal credentials in an impressive way.

    Some languages in the world (such as Hebrew and Arabic) read right-to-left, as opposed to most languages (including English) that read left-to-right. To account for this, years ago, a non-printing Unicode character was devised [U+202e] to create a “right-to-left override”, better known as RLO.

    For example, if I was to use that Unicode character in the phrase “Cyber[U+202e]Security”, it would be displayed “CyberytiruceS”. Now, apply this concept to, say, a malicious filename: “MaliciousAttachment[U+202e]pdf.exe” would be displayed in Windows as “MaliciousAttachmentexe.pdf”. You can quickly see how this can take a file that is obviously suspicious at least, and make it appear very much benign, and even seem business-appropriate.

    In a new attack documented by security vendor Vade Secure, this method of obfuscation and social engineering has been seen recently in the wild targeting Microsoft 365 users. In the attack, victims are sent an email with a “voice mail” attached with a filename that ends in “mth.mp3”. Now, remember the RLO principles and you realize with the right placement of the Unicode character, this becomes “mp3.htm” – an HTML file! The HTML is loaded in the browser and the user is presented with a Microsoft 365 logon screen:

    hackers 4

    Source: Vade Secure

    Behind the scenes, the HTML code includes a POST command to a server controlled by the attackers that will eventually contain the credentials entered by the victim user.

    The big red flag here is receiving a voicemail in your inbox as an attachment. Users that undergo Security Awareness Training will spot this immediately and – at very least – find it suspicious. Proper training tells them to not engage with such content, helping to avoid becoming a victim of these attacks.

    Find out which of your users’ emails are exposed before bad actors do.

    Many of the email addresses and identities of your organization are exposed on the internet and easy to find for cybercriminals. With that email attack surface, they can launch social engineering, spear phishing and ransomware attacks on your organization. KnowBe4’s Email Exposure Check Pro (EEC) identifies the at-risk users in your organization by crawling business social media information and now thousands of breach databases.

    EECPro-1

    Here’s how it works:

    • The first stage does deep web searches to find any publicly available organizational data
    • The second stage finds any users that have had their account information exposed in any of several thousand breaches
    • You will get a summary report PDF as well as a link to the full detailed report
    • Results in minutes!
    Get Your Free Report!

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/email-exposure-check-pro-partner?partnerid=001a000001lWEoJAAW

    Sign Up to the TIO Intel Alerts!

    Back To Top