Upcoming events

  • No upcoming events

Latest ISLF News

Menu
Log in

Information Security Leadership Forum Interational

A Community of Today and Tomorrow's Leaders

The Return of the Unicode Exploit - A 20 Year Old Tactic Comes to O365

Thursday, February 10, 2022 4:00 PM | Timothy Phillips (Administrator)

Twenty years ago, the popular tactic in phishing emails was for scammers to use the Unicode character U+202e in malicious attachments to fool users into opening malicious attachments.  The character reverses the text and displays it from right to left.  This allowed scammers to reverse the “exe” extension with an innocuous “txt” extension or even seemingly innocent voicemail file extensions “mp3” or “wav”. 

Vade spotted more than 400 attacks in the last two weeks using the RLO method targeting Microsoft 365 users.  As of this writing only 2 out of 58 malware detection tools were able to detect the threat.

More Unicode Trouble? 

In November, two CVEs were released with disturbing Unicode vulnerabilities.  CVE-2021-42574 allowed attackers to disguise and insert malicious code using the U+202e character, hiding vulnerabilities in code that wouldn’t be caught by human reviewers. 

The other, CVE-2021-42694, allowed the injection of malicious code using near identical characters, or homoglyphs, during software development.  Homoglyphs are nearly impossible to detect visually. 

Developers note that the best way to combat these vulnerabilities is to ban text directionality in compilers and language specifications. 

Questions For You!

Do you have any thoughts on this topic?

How do we prevent exposure to vulnerabilities of the past?

ON a slightly different but related topic, is there a role for government to regulate technology companies to ensure known vulnerabilities do not continue to haunt us?

If you have thoughts on any of these questions or other relevant and related ones, please leave a comment in the comment section below. Please note to keep our environment clean and free of advertisments of any kind, comments may not include external links, citing company names to promote them, or the like.