RPMSG attachments, also referred to as restricted permission message files, have emerged as a favoured tool among attackers. These files, created through Microsoft's Rights Management Services (RMS), provide an added level of security by restricting access to authorised individuals, making them an ideal tool for phishing attacks.
By using compromised Microsoft 365 accounts, cybercriminals exploit this encryption to bypass email security gateways and pilfer valuable Microsoft credentials. To access and read these messages, recipients are required to undergo authentication through their Microsoft account or acquire a one-time passcode for decrypting the contents.
Behind the scenes – how does this happen?
Exploiting RPMSG's authentication protocols, cyber attackers have resorted to deceiving targets with counterfeit login forms, as revealed in a recent investigation by Trustwave.
According to Trustwave, the initial step involves an email originating from a compromised Microsoft 365 account, specifically belonging to Talus Pay, a payment processing company. The recipients targeted were users within the billing department of the recipient company. The email content includes a Microsoft encrypted message.
The malicious emails from the threat actors prompt the targets to click a "Read the message" button, supposedly to decrypt and access the protected message. However, this action redirects them to an Office 365 webpage where they are requested to sign into their Microsoft account.
Upon successful authentication through this legitimate Microsoft service, the recipients are finally able to view the phishing email from the attackers. This email contains a "Click here to Continue" button, which, once clicked, leads them to a fraudulent SharePoint document hosted on Adobe's InDesign service.
From here, if a user selects "Click Here to View Document," they will be directed to the destination, which presents an empty page with a deceiving "Loading...Wait" message in the title bar. This serves as a diversionary tactic while a malicious script stealthily gathers various system information.
The collected data encompasses visitor ID, connect token and hash, video card renderer information, system language, device memory, hardware concurrency, installed browser plugins, browser window details, and OS architecture.
Once the script completes its data collection process, a cloned Microsoft 365 login form emerges on the page. Any usernames and passwords entered into this form are discreetly transmitted to servers under the control of the attackers.
What next?
Trustwave researchers have highlighted the challenges involved in detecting and combating targeted phishing attacks. These attacks are particularly difficult to detect due to their limited volume and focused nature.
The attackers leverage reputable cloud services like Microsoft and Adobe to send phishing emails and host content. This tactic increases the trustworthiness of the attack, making it harder to identify.
To make matters worse, the use of encrypted RPMSG attachments helps the attackers evade email scanning gateways. In these attacks, the initial phishing email contains only one hyperlink, which directs victims to a legitimate Microsoft service, further concealing the malicious intent.
It’s advised that organisations to educate their users about the nature of these threats and instructs them not to attempt to decrypt or open unexpected messages from unknown sources.
To bolster security and prevent Microsoft 365 account compromise, enabling Multi-Factor Authentication (MFA). This additional layer of protection can help mitigate the risks associated with such phishing attacks.
Education is key
Safeguarding your organisation from phishing attacks requires proactive measures and a commitment to continuous improvement.
One effective strategy is to leverage specialised services, such as phishing assessments, offered by trusted providers like Cybaverse.
With a proactive approach to security and the insights provided by phishing assessments, you can educate your workforce with the necessary knowledge to recognise and hopefully thwart phishing attempts.
Want to learn more about our phishing assessment services? Find out more here.
