Email phishing continues to be a frustrating and prevalent threat, with scammers continually employing outdated methods that still manage to deceive unsuspecting victims. These tactics include attaching phishing emails to legitimate messages, utilizing link redirects on LinkedIn, and exploiting encoding techniques to disguise malicious files as harmless documents.
Recently, KrebsOnSecurity received a report from an anonymous reader who had received an email instructing them to review and complete a W-9 tax form. The email was cleverly disguised as a failed delivery report from Microsoft 365, adding an air of legitimacy to the phishing attempt.
Upon closer inspection, the reader noticed that the attachment, which appeared to be a PDF file, behaved strangely. For example, when attempting to rename the file, the right arrow key on the keyboard moved the cursor to the left, and vice versa. This behavior raised suspicions about the file’s authenticity.
Further analysis revealed that the file used a technique called “right-to-left override” (RLO). RLO is a special character within the unicode encoding system, which allows for the exchange of information in different languages. In this case, the RLO character was used to make the file appear as a PDF, when in reality, it was an .eml file disguised as a PDF.
The screenshot provided shows that Microsoft Windows identifies the file as “lme.pdf,” but the full filename is actually “fdp.eml” spelled backward. This deceptive tactic aims to trick users into thinking they are opening a harmless PDF file when, in fact, it is a disguised email file.
Despite this phishing technique being well-known since at least 2011, it continues to be effective, as demonstrated by the fact that the email bypassed Microsoft Office 365’s detections. Mimecast, on the other hand, was able to detect and rename the attachment to “___fdp.eml” due to its ability to recognize the encoding.
Upon opening the .eml file, a webpage appears, mimicking an alert from Microsoft regarding messages awaiting restoration to the user’s inbox. Clicking on the “Restore Messages” link redirects the user through LinkedIn’s open redirect feature before landing on the actual phishing webpage.
As previously reported, scammers have frequently taken advantage of LinkedIn’s marketing feature, which allows them to create LinkedIn.com links that redirect users to other websites, often phishing pages impersonating legitimate brands such as Microsoft.
The final phishing page, reached after the LinkedIn redirect, mimics an Office 365 login page, creating a convincing facade of an official Microsoft Office website. In summary, this phishing scam combines the RLO trick with an open redirect on a Microsoft-owned site (LinkedIn) to lure victims and steal their email credentials.
According to Check Point Software, Microsoft was the most impersonated brand for phishing scams in the second quarter of 2023, accounting for nearly 30 percent of all brand phishing attempts. This highlights the importance of remaining vigilant and cautious when interacting with emails and messages claiming to be from Microsoft.
To protect oneself from phishing scams, it is crucial to avoid clicking on links in unsolicited emails, text messages, and other mediums. Phishing attempts often create a sense of urgency, threatening dire consequences if not addressed immediately. If unsure about the legitimacy of a message, it is recommended to visit the relevant website or service manually, using a saved bookmark to avoid potential typosquatting sites.
As email phishing techniques continue to evolve, it is essential for individuals and organizations to stay informed, exercise caution, and employ security measures to mitigate the risks associated with these threats.