---
title: "Two Decades-Old Phishing Attack Revamped | Phish Protection"
description: "Two Decades-Old Phishing Attack Revamped: The RLO technique is a simple technique that disguises malicious files making them seem like simple text files ."
image: "https://phishprotection.com/og/blog/decades-old-phishing-attack-revamped.png"
canonical: "https://phishprotection.com/blog/decades-old-phishing-attack-revamped/"
---

Quick Answer

However, \_the attackers have revived this technique with a few alterations\_. Vade, a security vendor, stated that there were \*\*more than 400 cases\*\* of attacks that followed the RLO pattern made within a small span of two weeks.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fdecades-old-phishing-attack-revamped%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Two%20Decades-Old%20Phishing%20Attack%20Revamped&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fdecades-old-phishing-attack-revamped%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fdecades-old-phishing-attack-revamped%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fdecades-old-phishing-attack-revamped%2F&title=Two%20Decades-Old%20Phishing%20Attack%20Revamped "Share on Reddit") [ ](mailto:?subject=Two%20Decades-Old%20Phishing%20Attack%20Revamped&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fdecades-old-phishing-attack-revamped%2F "Share via Email") 

![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2022/02/phishing-attack-prevention-7800.jpg) 

_The RLO technique is a simple technique that disguises malicious files making them seem like simple text files_. When downloaded by the user, these files could damage their device or could be used to acquire sensitive information. Although this technique became outdated, recently, [attackers started using it again](https://www.vadesecure.com/en/blog/how-hackers-are-using-a-20-year-old-text-trick-to-phish-microsoft-365-users) as people lowered their **guard against cyber attacks**.

### The Right-to-Left Technique

_The RLO technique was prevalent during the nineties, and early 2000’s_ when cyber security was not as advanced as it currently is. With the help of this technique, attackers used a simple method to make the users download **malicious files** that could then be used to extract any information that the attacker wanted to acquire.

_The technique utilizes a non-printing Unicode character to change the display name of a file_. The RLO Unicode character U+202e reverses the text that comes after it so that it is displayed in a right-to-left format. For instance, if the file name is “filetxt.exe” it can be changed to “fileexe.txt” if the code is written as “fileU+202txt.exe”. Thus, the attackers would disguise malicious “.exe” files as “.txt” files. These files that seemed like simple text files would lead the victim to lower their guard as they would think of them as simple text files and download them. Once downloaded, these files would work as designed by the attacker.

![Phishing attack prevention](https://media.mailhop.org/phishprotection/images/2022/02/phishing-attack-prevention-7800.jpg) 

### The Phishing Impact on Users

> “Zero-day phishing URLs have an average lifespan of just 12 hours before they’re added to blocklists. During that window, traditional signature-based filters are blind. Our real-time behavioral analysis catches these threats by pattern, not by signature - which is how we detect attacks that no database has seen yet.” - **Adam Lundrigan**, CTO, DuoCircle

_The RLO technique had earlier led to significant losses for many users who were not aware of the technique and were not careful_ about the kind of files they were downloading. However, with increased [awareness](/products/phishing-awareness-training/) and technological advancements, users have become more aware of these attacks, and the number of victims eventually decreased, leading to the RLO technique going out of practice.

However, _the attackers have revived this technique with a few alterations_. Vade, a security vendor, stated that there were **more than 400 cases** of attacks that followed the RLO pattern made within a small span of two weeks.

Users of Microsoft 365 reported receiving **email notifications** that supposedly had an audio attachment with “.mp3” or “.wav” extensions. When they clicked on the attachment to download it, it took them to a page asking for their credentials to listen to the file. Thus, although these files themselves do not consist of malware but instead lead to a landing page that records the data that the user enters on the page, it was not easy to detect them. Many **security systems** could also not easily detect these files as the new systems are built to check IP and familiar malware signatures.

### Similar Phishing Tactics

The RLO technique is not the only Unicode technique that has been used to victimize end users. The “Trojan Source” method was also a Unicode technique that attackers utilized where **over 51%** of the [reported cases](https://purplesec.us/resources/cyber-security-statistics/) were due to this. This technique also disguises the malware file into a more benign-looking file that is then sent to end-users. _Once the file is clicked on, the malware is downloaded and starts its work like a trojan file_. These attacks were not only harming the one who downloaded the file but also the supply chain that the user was attached to, thus posing a more significant threat.

Renaming system utilities was [another type of mechanism](https://attack.mitre.org/techniques/T1036/003/) that attackers used. This method allowed the users to rename system utilities and make dangerous files look inconspicuous so that people would enter the required data. For instance, a “.vps” file could be disguised as a “.txt” file to avoid detection.

![Phishing email prevention](https://media.mailhop.org/phishprotection/images/2022/02/phishing-email-prevention-9009.jpg) 

### How to Steer Clear of Such Phishing Attempts

With an increase in the recent [phishing attacks](/blog/rise-in-online-payments-given-rise-in-phishing-attacks/) and seeing how easy it was to receive the data of **over 400 people**, according to [Vade](https://www.vadesecure.com/en/blog/how-hackers-are-using-a-20-year-old-text-trick-to-phish-microsoft-365-users), there seems to be a need for an increase in vigilance in regards to **cyber security**. Although many advanced tools and firewalls can protect the data from being stolen, it is still pertinent to increase awareness levels about **data protection**. The following tips [provided by Microsoft](https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44) can go a long way in keeping malicious actors at bay:

- **_Keep your passwords well protected:_** Keeping passwords protected does not end at the creation of a strong password that cannot easily be cracked. You must implement [multi-factor authentication](/blog/latest-phishing-campaign-targeting-microsoft-proves-multi-factor-authentication-risky-organizations/) (MFA) wherever the option is available.
- **_Beware of unusual links and attachments:_** Do not open suspicious attachments unless they come from a reliable and well-known source. Also, refrain from entering any sensitive details, such as your account passwords or banking information, on any site.
- **_Responsible browsing:_** Be careful what kind of websites you open while browsing the internet. Sometimes you may come across illicit websites. _Refrain from clicking on notifications and downloads from such websites_ as they may end up downloading [malware or ransomware](/products/malware-and-ransomware-protection/) on your device.
![Global Phishing Attack Prevention Statistics](https://media.mailhop.org/phishprotection/images/2022/02/Global-Phishing-Attack-Prevention-Statistics.jpg) 

### Final Words

_Phishing attacks have been here for decades and have only gotten more sophisticated over time_ as threat actors also have advanced and have a multitude of resources at their disposal. One cannot anticipate the next **phishing campaign** threat actors may be planning to revive. Hence, to keep ahead of them, you must have [anti-phishing](/) systems in place, especially when you run a small business, as a single employee mistake could end up with malicious actors infiltrating your information assets and stealing confidential business information.

## Topics

[ Phishing ](/tags/phishing/) 

![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Protect your inbox from phishing attacks

Real-time email security with 60-day free trial. No credit card required.

[Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) 

## Related Articles

[  Foundational 5m  0ktapus, Okta Breach Helps Attackers Launch Sophisticated Supply Chain Attacks  Sep 5, 2022 ](/blog/0ktapus-okta-breach-helps-attackers-launch-sophisticated-supply-chain-attacks/)[  Foundational 4m  13 Spear Phishing Attacks Examples To Justify Investment For Phishing Prevention Solutions In Your Organization  Aug 1, 2019 ](/blog/13-spear-phishing-attacks-examples-to-justify-investment-for-phishing-prevention-solutions-in-your-organization/)[  Foundational 4m  All 14 centers of Kettering Health were affected by a massive ransomware attack, Major outage in the Ohio medical center  May 23, 2025 ](/blog/14-centers-of-kettering-health-were-affected-by-massive-ransomware-attack-in-ohio-medical-center/)[  Foundational 4m  2021 Phishing Trends You Need To Be Wary Of  Aug 2, 2021 ](/blog/2021-phishing-trends-to-be-wary-of/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Two Decades-Old Phishing Attack Revamped","description":"Two Decades-Old Phishing Attack Revamped: The RLO technique is a simple technique that disguises malicious files making them seem like simple text files .","url":"https://phishprotection.com/blog/decades-old-phishing-attack-revamped/","datePublished":"2022-02-18T15:19:13.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2022-02-18T15:19:13.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/decades-old-phishing-attack-revamped/"},"articleSection":"foundational","keywords":"Phishing","wordCount":902,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2022/02/phishing-attack-prevention-7800.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://phishprotection.com/foundational/"},{"@type":"ListItem","position":4,"name":"Two Decades-Old Phishing Attack Revamped","item":"https://phishprotection.com/blog/decades-old-phishing-attack-revamped/"}]}
```