Microsoft 365 Phishing Attacks Use Encrypted RPMSG Messages
Cyber Security Threat Summary:
Attackers are now using encrypted RPMSG attachments sent via compromised Microsoft 365 accounts to steal Microsoft credentials in targeted phishing attacks designed to evade detection by email security gateways. RPMSG files (also known as restricted permission message files) are encrypted email message attachments created using Microsoft's Rights Management Services (RMS) and offer an extra layer of protection to sensitive info by restricting access to authorized recipients. To access and read the encrypted contents of RPMSG attachments, recipients are required to either authenticate using their Microsoft account or acquire a one-time passcode for decryption.
“As Trustwave recently discovered, RPMSG's authentication requirements are now being exploited to trick targets into handing over their Microsoft credentials using fake login forms. "It starts with an email that originated from a compromised Microsoft 365 account, in this case from Talus Pay, a payments processing company," Trustwave said. "The recipients were users in the billing department of the recipient company. The message shows a Microsoft encrypted message." The threat actors' emails ask the targets to click a "Read the message" button to decrypt and open the protected message, redirecting them to an Office 365 webpage with a request to sign into their Microsoft account. After authentication using this legitimate Microsoft service, the recipients can finally see the attackers' phishing email that will send them to a fake SharePoint document hosted on Adobe's InDesign service after clicking a "Click here to Continue" button. From there, clicking "Click Here to View Document" leads to the final destination that displays an empty page and a "Loading...Wait" message in the title bar that acts as a decoy to allow a malicious script to collect various system information. The harvested data includes visitor ID, connect token and hash, video card renderer information, system language, device memory, hardware concurrency, installed browser plugins, browser window details, and OS architecture” (Bleeping Computer, 2023).
After the script is done collecting the targets’ data, a replicated Microsoft 365 login form will be displayed on the page. This counterfeit form is designed to capture the usernames and passwords entered by the victims and transmit them to servers controlled by the attackers.
Security Officer Comments:
Researchers at Trustwave have observed that detecting and countering targeted phishing attacks can be particularly challenging due to their limited volume. Furthermore, these attackers enhance their deception by utilizing trusted cloud services like Microsoft and Adobe for sending phishing emails and hosting content. The use of encrypted RPMSG attachments further complicates matters as it conceals the phishing messages from email scanning gateways. This is achieved by including only a legitimate hyperlink in the initial phishing email, leading potential victims to a genuine Microsoft service.
Suggested Correction(s):
Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers. If in doubt, users should verify with the company itself to avoid any potential issues.
Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.
As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.
Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.
Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.
Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts.
Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.
Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.
Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.
Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.
It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.
If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.
Link(s):
https://www.bleepingcomputer.com/