Phishing news roundup: One Font BEC campaign, BazarBackdoor malware, and HTML smuggling
Posted by: GuidePoint Security
Published 11/18/21, 9:00am
With ransomware dominating headlines, it is important to remember that phishing remains among the most common threats affecting organizations and is a frequently used infiltration method in a ransomware attack. Here are some of the phishing stories that made the news last week:
Microsoft warning of HTML smuggling phishing attacks
Microsoft issued warnings last week of an observed increase in the number of HTML smuggling attacks. These attacks involve bypassing perimeter security by producing malicious HTML code behind the firewall. In phishing attacks, HTML smuggling uses HTML5 and JavaScript to hide malicious payloads that are encoded in the email attachment in an HTML file or webpage. The malicious code is only decoded by the browser when the user opens the attachment or clicks on the link. Microsoft is advising admins to use behavior-based rules to check for common HTML smuggling characteristics.
BazarBackdoor delivered via phishing
Industry researchers are reporting phishing attacks involving a Microsoft Windows 10 application feature and delivery of the BazarBackdoor malware. When the victim clicks on the link, they are directed to a website displaying the Adobe software brand name and instructed to preview a PDF and then install a PDF component. Once permission is granted, the system leverages the Windows 10 app installer to deliver the payload. BazarBackdoor is linked to Trickbot and the Ryuk ransomware.
BEC campaign uses tiny font size to hide text
A newly discovered business email compromise (BEC) campaign is targeting Microsoft 365 users with phishing emails containing sophisticated obfuscation tactics, including hiding text by minimizing it to a one-point font size. The campaign also involves the use of hiding links in cascading style sheets (CSS) and messages with links coded within the <font> tag to minimize the effectiveness of email filters that use natural language processing. Email content involves standard social engineering techniques, such as password expiration notices. Links embedded in the email redirect to phishing pages designed to capture credentials.
Next Steps
Businesses are reminded that cybercriminals will use a wide variety of obfuscation and social engineering techniques to deliver phishing. Businesses are encouraged to use anti-phishing services and email security technology to protect their employees and data from attack.
GuidePoint Security