Encrypted RPMSG Messages Exploited in Targeted Microsoft 365 Phishing Attacks
Encrypted RPMSG Messages Exploited in Targeted Microsoft 365 Phishing Attacks

In a disturbing development, cyber attackers have devised a new method to carry out targeted phishing attacks. It is via using encrypted RPMSG attachments transmitted through compromised Microsoft 365 accounts. This technique aims to bypass email security gateways, making it complex to detect and prevent such attacks.

New Technique Utilizes Compromised Accounts and Authentication Process
RPMSG files, also known as restricted permission message files, provide additional security for sensitive information. It is via employing Microsoft’s Rights Management Services (RMS). These attachments require authentication from authorized recipients or a one-time passcode to decrypt their contents.

Recently, security firm Trustwave uncover a tactic where threat actors exploit the authentication requirements of RPMSG files. It is to deceive victims into surrendering their Microsoft credentials through counterfeit login forms.

Attack Begins with Compromised Microsoft 365 Account

The attack typically commences with an email originating from a compromised Microsoft 365 account, such as in the case of Talus Pay, a reputable payments processing company. The recipients of these emails are often individuals working in the billing department of targeted organizations. The email appears as a Microsoft encrypted message, luring the recipients into further interaction.

Microsoft 365 Phishing Attacks – Phishing Email Redirects to Fake Login Forms

To access the encrypted message, the attackers prompt the targets to click a “Read the message” button, redirecting them to an Office 365 webpage. This webpage requests the recipients to sign into their Microsoft accounts, leveraging the legitimacy of the service. Once the authentication process is completed, the victims access the attackers’ phishing emails.

Sophisticated Redirection and Information Collection

Upon clicking a “Click here to Continue” button within the email, the recipients are redirected to a fake SharePoint document hosted on Adobe’s InDesign service. At this stage, the attack becomes more sophisticated and harder to detect. Clicking “Click Here to View Document” leads to a final destination that initially displays an empty page and a deceiving “Loading…Wait” message in the title bar.

Unbeknownst to the victims, this deceptive loading page is a diversion, allowing a malicious script to collect various system information. The harvested data encompasses visitor ID, connect token and hash, video card renderer information, system language, device memory, hardware concurrency, installed browser plugins, browser window details, and OS architecture.

Cloned Login Form Transmits Stolen Credentials

Once the script successfully acquires the targets’ data, it presents a cloned Microsoft 365 login form on the page. This counterfeit login form cunningly captures any entered usernames and passwords, transmitting them to servers controlled by the attackers.

Mitigating the Risk and Enhancing Resilience – Microsoft 365 Phishing Attacks

This evolving phishing technique demonstrates the increasing sophistication of cyber attackers. By exploiting the encryption and authentication mechanisms provided by Microsoft 365, they can bypass conventional email security measures and deceive unsuspecting users into divulging their sensitive credentials.

Organizations and individuals must remain vigilant to mitigate the risk of falling victim. Implementing multi-factor authentication, regularly updating security software, and educating employees about phishing techniques can significantly enhance resilience against these evolving cyber threats.