Unicode Being Leveraged to Target Microsoft 365 Users

There are a few languages in the world that are written and read from right to left rather than left to right Two prime examples are Arabic and Hebrew More than 20 years ago, a Unicode "right-to-left override" (RLO) character was created When …

There are a few languages in the world that are written and read from right to left rather than left to right. Two prime examples are Arabic and Hebrew. More than 20 years ago, a Unicode “right-to-left override” (RLO) character was created. When embedded in text compiled by a computer, the RLO invokes functionality that causes the text characters that follow it to be displayed in reverse order.

The RLO was developed to allow passages written in languages ordinarily read from right to left to be displayed or printed from left to right to increase their readability.  Now it’s being used in phishing attacks.  Leave it to cybercriminals to take something created for beneficial purposes and use it to perpetrate crimes. The RLO has a history of misuse and is now being leveraged in convincing scams targeting some of the more than 250 million users of Microsoft 365.

Unicode and the origins of the RLO

First, a bit about Unicode and the origins of the RLO

Computers use unique numerical identifiers to represent each letter and special character. Prior to the adoption of the Unicode Standard in the 1980s, multiple numbering systems were being used by computers in different parts of the world to identify text characters. As a consequence, digital files and documents created in one nation often could not be compiled by computers elsewhere. The Unicode Standard changed all of that by eliminating the issue of conflicting character encoding systems.

Additional Unicode identifiers, referred to as non-printing characters, have been created over time. “Non-printing” refers to the fact that they do not cause any text to be displayed or printed. Non-printing characters are invisible to the end-user. The RLO, identified by Unicode as 202e, is a non-printing function call that causes the reversal of subsequent text. Unicode’s universal compatibility along with the invisibility and text-reversing functionality offered by the RLO make it useful to bad actors everywhere.

The RLO’s sordid past and what it looks like when it’s used

By the late 1990s, shortly after it was created, cybercriminals had begun to imbed the RLO in the names of malicious email attachments to make those attachments look less threatening. For example, an attacker could include the RLO in the name of the malicious executable file MyFiletxt.exe like so: MyFile[U+202e]txt.exe. When received as an email attachment, the name will display as MyFileexe.txt as a result of the reversal of text following the RLO. At a glance, the file appears to be a harmless text file (.txt) rather than a potentially dangerous executable (.exe), making it more likely that the attachment will be opened by its recipient.

How Microsoft 365 users are now being targeted using the RLO

Cybercriminals have now expanded usage of the RLO to include attacks on Microsoft 365 users. This isn’t surprising considering the target-rich environment. There are over 250 million users of Microsoft 365, each one having credentials that could be all an attacker needs to access the critical data of a business.

In this attack variant, a Microsoft 365 user receives a well-crafted, convincing email indicating that he or she has a new voicemail message. The email includes an attachment that appears to be a recording of that voicemail. The file name displayed typically ends with the .mp3 extension. Since most computer users know that .mp3 is an audio file format, they are more likely to open this type of attachment. In fact, it’s actually a .html file disguised as an mp3 using the RLO to reverse the extension information as described previously.

The body of the email may also include a link giving the recipient the option to go to a site where he or she can listen to the voicemail if that’s preferred. Whether the recipient clicks the embedded link or opens the disguised malicious .html file attachment, a credential phishing site will open. The site appears to be an authentic login page prompting the victim to enter Microsoft 365 credentials in order to access the voicemail message. In some instances, particularly industrious criminals actually created some generic voicemail messages for their victims so that they would be less likely to discover that they had been scammed and report the incident.

Once the targets enter their credentials, they become available to the attacker who can then use them to inflict significant damage.

Recognizing RLO attack

Recognizing the attack

There are a couple of ways recipients of these messages can recognize them as scams before it’s too late. One is that when they open the voicemail attachment they believe to be a .mp3 file, a website asking for their credentials opens instead of an audio file. That shouldn’t happen and is a great indicator that there is a problem. Another clue is the fact that the URL of the website that opens indicates that it resides on the message recipient’s own computer. Either of these should prompt the recipient to exit without entering credentials and to report the incident immediately.

Training and communication are key

Whether or not your organization utilizes Microsoft 365, providing information to your users about emerging threats like this one will reduce the likelihood that an attack would be successful. If your organization doesn’t already have one, management should seriously consider developing and implementing a cybersecurity training program that is ongoing, regularly evaluated, and continuously improved. Training is the best defense against attacks targeting the human in the loop. If you need assistance with employee training, there are quality third-party training providers available to help.

Whether you are a current client of FullHost interested in the benefits of switching to Microsoft 365 or are a current Microsoft 365 user that is looking for a new support partner, we have support plans that include your Microsoft 365 subscription.

Wordpress Hosting

Experience the difference with the fastest WordPress hosting platform.

Elastic Hosting

A flexible managed hosting solution that will grow with you and your needs grow.

Cloud Servers

Your dedicated cloud servers that are managed by us or managed by you.

Made InCanada
Made by Canadians,
for Canadians

Never worry about compliance again. Our servers are hosted directly on Canadian soil, and support is given by a 100% Canadian team.

We Start,
Where Others Stop.

If you've been burned by terrible hosting services before, we get you. We want every client to feel important and fully taken care of, and we'll spend the time it takes to solve any problem that arises.

Trusted by Clients Across All Industries

Don't take our word for it - let our happy clients do the talking. See More

Full Host did an amazing job of migrating my site seamlessly onto their server. My only regret was not switching my site over to them sooner. Now it is performing great, images are uploading way faster than ever before.

" Vancouver Sofa and Patio - Jerry Schmidt

Two thumbs up for Fullhost! Agents reply to me fairly quickly or at least let me know they received the ticket and are looking into it. Kudos to the support team as they have always given me exactly what I need without delays.

" Universal Staffing Inc. - Anthony Calvano

FullHost is an absolute pleasure to work with, and their customer service is exceptional. Whenever I have questions or need adjustments, they are there to help, quickly, efficiently, with answers and insights.

" Mooseworld Inc. Norine Leibel

With coast to coast coverage,
We help you serve the world.

Whether your audience is located in Europe, Asia, Africa, or Australia, provide them with lightening speed!

FullHost's data centers are located in Toronto and Vancouver to ensure worldwide quality and speed.

Get in Touch
We Trust Only The Best Tech to Support You

FullHost operates with the most innovative technology to bring you unparalleled levels of hosting services.