There are a few languages in the world that are written and read from right to left rather than left to right. Two prime examples are Arabic and Hebrew. More than 20 years ago, a Unicode “right-to-left override” (RLO) character was created. When embedded in text compiled by a computer, the RLO invokes functionality that causes the text characters that follow it to be displayed in reverse order.
The RLO was developed to allow passages written in languages ordinarily read from right to left to be displayed or printed from left to right to increase their readability. Now it’s being used in phishing attacks. Leave it to cybercriminals to take something created for beneficial purposes and use it to perpetrate crimes. The RLO has a history of misuse and is now being leveraged in convincing scams targeting some of the more than 250 million users of Microsoft 365.
First, a bit about Unicode and the origins of the RLO
Computers use unique numerical identifiers to represent each letter and special character. Prior to the adoption of the Unicode Standard in the 1980s, multiple numbering systems were being used by computers in different parts of the world to identify text characters. As a consequence, digital files and documents created in one nation often could not be compiled by computers elsewhere. The Unicode Standard changed all of that by eliminating the issue of conflicting character encoding systems.
Additional Unicode identifiers, referred to as non-printing characters, have been created over time. “Non-printing” refers to the fact that they do not cause any text to be displayed or printed. Non-printing characters are invisible to the end-user. The RLO, identified by Unicode as 202e, is a non-printing function call that causes the reversal of subsequent text. Unicode’s universal compatibility along with the invisibility and text-reversing functionality offered by the RLO make it useful to bad actors everywhere.
The RLO’s sordid past and what it looks like when it’s used
By the late 1990s, shortly after it was created, cybercriminals had begun to imbed the RLO in the names of malicious email attachments to make those attachments look less threatening. For example, an attacker could include the RLO in the name of the malicious executable file MyFiletxt.exe like so: MyFile[U+202e]txt.exe. When received as an email attachment, the name will display as MyFileexe.txt as a result of the reversal of text following the RLO. At a glance, the file appears to be a harmless text file (.txt) rather than a potentially dangerous executable (.exe), making it more likely that the attachment will be opened by its recipient.
How Microsoft 365 users are now being targeted using the RLO
Cybercriminals have now expanded usage of the RLO to include attacks on Microsoft 365 users. This isn’t surprising considering the target-rich environment. There are over 250 million users of Microsoft 365, each one having credentials that could be all an attacker needs to access the critical data of a business.
In this attack variant, a Microsoft 365 user receives a well-crafted, convincing email indicating that he or she has a new voicemail message. The email includes an attachment that appears to be a recording of that voicemail. The file name displayed typically ends with the .mp3 extension. Since most computer users know that .mp3 is an audio file format, they are more likely to open this type of attachment. In fact, it’s actually a .html file disguised as an mp3 using the RLO to reverse the extension information as described previously.
The body of the email may also include a link giving the recipient the option to go to a site where he or she can listen to the voicemail if that’s preferred. Whether the recipient clicks the embedded link or opens the disguised malicious .html file attachment, a credential phishing site will open. The site appears to be an authentic login page prompting the victim to enter Microsoft 365 credentials in order to access the voicemail message. In some instances, particularly industrious criminals actually created some generic voicemail messages for their victims so that they would be less likely to discover that they had been scammed and report the incident.
Once the targets enter their credentials, they become available to the attacker who can then use them to inflict significant damage.
Recognizing the attack
There are a couple of ways recipients of these messages can recognize them as scams before it’s too late. One is that when they open the voicemail attachment they believe to be a .mp3 file, a website asking for their credentials opens instead of an audio file. That shouldn’t happen and is a great indicator that there is a problem. Another clue is the fact that the URL of the website that opens indicates that it resides on the message recipient’s own computer. Either of these should prompt the recipient to exit without entering credentials and to report the incident immediately.
Training and communication are key
Whether or not your organization utilizes Microsoft 365, providing information to your users about emerging threats like this one will reduce the likelihood that an attack would be successful. If your organization doesn’t already have one, management should seriously consider developing and implementing a cybersecurity training program that is ongoing, regularly evaluated, and continuously improved. Training is the best defense against attacks targeting the human in the loop. If you need assistance with employee training, there are quality third-party training providers available to help.
Whether you are a current client of FullHost interested in the benefits of switching to Microsoft 365 or are a current Microsoft 365 user that is looking for a new support partner, we have support plans that include your Microsoft 365 subscription.