Light Dark
March 15, 2021 By David Bisson 2 min read
News

A very old way to send messages has found new life. Threat actors used Morse code in a new URL phishing campaign detected early in February 2021, according to Bleeping Computer.

Invented by Samuel Morse and Alfred Vail in the 19th century, Morse code was the bedrock of modern communication. It transmits messages over the telegraph using dots and dashes. It’s now also a means by which phishers can conceal their malicious URLs in an email attachment to evade detection.

Take a look at how attackers are using this kind of URL phishing and how to prevent it.

JavaScript Mapped to Morse Code in Spear Phishing Attack

The URL phishing attack begins when a user receives an email pretending to be an invoice, Bleeping Computer found. Because this attack is sent as an email to a specific company, it falls under the umbrella of targeting phishing or spear phishing. The attack email uses a subject line, such as ‘Revenue_payment_invoice February_Wednesday 02/03/2021,’ to support this disguise. The goal is to convince the recipient that it was safe for them to open the attachment. Once they do, it activates in the web programming language HTML.

The attackers crafted the name of the attachment to look like a personalized Excel spreadsheet for the company. The attachment used the format ‘[company_name]_invoice_[number]._xlsx.hTML.’

The attached URL phishing file included JavaScipt code that mapped letters and numbers to Morse code’s dots and dashes. Once run, the JavaScript used a decodeMorse() function to translate the Morse code into a hexadecimal string. Next, that string gave way to JavaScript tags that the campaign injected into the HTML page.

Those tags created the image of a fake Excel-based invoice and a custom login form. It informed the recipient that they needed to sign into their Office 365 account in order to view the file. If they did, the login form then stole the recipient’s credentials. From there, it uploaded them to a remote site where the attackers could retrieve them.

At the time of its reporting, Bleeping Computer had found attack attempts on 11 companies. This is the first known instance of phishing using Morse code.

Other Evasion Techniques Used by Phishers

Using Morse code in URL phishing isn’t the only evasive phishing technique in the news recently. In January 2020, PhishLabs came across one tactic in which phishers used a malicious website to call the gyroscope and accelerometers that are commonly found in smartphones. The idea here is that the website could change its behavior and cater to mobile users if it confirmed the presence of device motion and orientation events.

Several months later, Microsoft found that the CHIMBORAZO threat group had begun using websites with CAPTCHAs to avoid automated analysis.

Finally, a phishing operation in November 2020 inverted images used for its landing pages’ backgrounds in order to remain hidden from anti-phishing tools.

How to Defend Against a Phish

These tactics highlight the need for organizations to defend themselves against URL phishing. They can do this by using ongoing security awareness training to educate their users about some of the most common types of URL phishing attacks that are in circulation today. Organizations should position this education as part of a layered email security strategy that also leverages threat intelligence and other technical controls to help flag suspicious emails before they land in employees’ inboxes.

 |  | 
David Bisson
Contributing Editor

More from News
January 13, 2025

Insights from CISA’s red team findings and the evolution of EDR

3 min read - A recent CISA red team assessment of a United States critical infrastructure organization revealed systemic vulnerabilities in modern cybersecurity. Among the most pressing issues was a heavy reliance on endpoint detection and response (EDR) solutions, paired with a lack of network-level protections. These findings underscore a familiar challenge: Why do organizations place so much trust in EDR alone, and what must change to address its shortcomings? EDR’s double-edged sword A cornerstone of cyber resilience strategy, EDR solutions are prized for…

December 30, 2024

DHS: Guidance for AI in critical infrastructure

4 min read - At the end of 2024, we've reached a moment in artificial intelligence (AI) development where government involvement can help shape the trajectory of this extremely pervasive technology. In the most recent example, the Department of Homeland Security (DHS) has released what it calls a "first-of-its-kind" framework designed to ensure the safe and secure deployment of AI across critical infrastructure sectors. The framework could be the catalyst for what could become a comprehensive set of regulatory measures, as it brings into…

December 26, 2024

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature