Phishing

Attackers are now using encrypted RPMSG attachments sent via compromised Microsoft 365 accounts to steal Microsoft credentials in targeted phishing attacks designed to evade detection by email security gateways.

RPMSG files (also known as restricted permission message files) are encrypted email message attachments created using Microsoft's Rights Management Services (RMS) and offer an extra layer of protection to sensitive info by restricting access to authorized recipients.

Recipients who want to read them must authenticate using their Microsoft account or obtain a one-time passcode to decrypt the contents. 

As Trustwave recently discovered, RPMSG's authentication requirements are now being exploited to trick targets into handing over their Microsoft credentials using fake login forms.

"It starts with an email that originated from a compromised Microsoft 365 account, in this case from Talus Pay, a payments processing company," Trustwave said.

"The recipients were users in the billing department of the recipient company. The message shows a Microsoft encrypted message."

The threat actors' emails ask the targets to click a "Read the message" button to decrypt and open the protected message, redirecting them to an Office 365 webpage with a request to sign into their Microsoft account.

After authentication using this legitimate Microsoft service, the recipients can finally see the attackers' phishing email that will send them to a fake SharePoint document hosted on Adobe's InDesign service after clicking a "Click here to Continue" button.

Protected phishing email
Protected phishing email (Trustwave)

​From there, clicking "Click Here to View Document" leads to the final destination that displays an empty page and a "Loading...Wait" message in the title bar that acts as a decoy to allow a malicious script to collect various system information.

The harvested data includes visitor ID, connect token and hash, video card renderer information, system language, device memory, hardware concurrency, installed browser plugins, browser window details, and OS architecture.

Once the script is done collecting the targets' data, the page will show a cloned Microsoft 365 login form that will send the entered usernames and passwords to attacker-controlled servers.

Detecting and countering such phishing attacks can prove quite challenging due to their low volume and targeted nature, as observed by Trustwave researchers.

Moreover, the attackers' use of trusted cloud services such as Microsoft and Adobe to send phishing emails and host content adds an additional layer of complexity and trustworthiness.

Encrypted RPMSG attachments also conceal phishing messages from email scanning gateways, given that the only hyperlink in the initial phishing email directs the potential victims to a legitimate Microsoft service.

"Educate your users on the nature of the threat, and not to attempt to decrypt or unlock unexpected messages from outside sources," Trustwave advises companies that want to mitigate the risks posed by this type of phishing attack.

"To help prevent Microsoft 365 accounts being compromised, enable Multi-Factor Authentication (MFA)."

Related Articles:

New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts

Ongoing Microsoft Azure account hijacking campaign targets executives

One year of Microsoft 365 for one user is now $45 in this deal

Diagram better — Microsoft Visio Pro 2021 is $25 through April 2nd

New Darcula phishing service targets iPhone users via iMessage