Bill Cole wrote:
On 9 Feb 2021, at 18:37, Kenneth Porter wrote:
<https://www.bleepingcomputer.com/news/security/new-phishing-attack-uses-morse-code-to-hide-malicious-urls/>
I'm reminded of the recent post suggesting that SA parse QR codes to
feed URLs to block lists.
The email includes a web document pretending to be an Excel document
(double extension .xlsx.hTML) that contains a JavaScript Morse decoder
and a string with the URLs encoded in Morse.
I see two ways to block this: 1) MUAs should ignore code in HTML.
All minimally secure MUAs ignore any embedded JavaScript. Any MUA
written in this century that executes JavaScript should itself be deemed
malware.
Thunderbird and Seamonkey both have it supported and enabled out of the
box. I would not be surprised if Outlook did, along with no way to
disable it. Mac Mail probably does, again likely with at best a tedious
hassle to disable it. Windows Mail (AKA "the descendant of Outlook
Express) probably does as well, also likely can't be disabled without
tinkering with the program binary or libraries. That probably covers
99% of the general end-users that use a desktop MUA.
This would be one of the few points I'd grant in favour of webmail; at
least any Javascript is executing in a browser that's had a lot more
attention to putting a leash on JS misbehaviour.
I would personally class any email with active Javascript as malware -
it should never have been supported at all IMO - but the marketing
departments have taken charge and I see all too much (ie, more than
absolutely none) legitimate mail using it.
-kgd
