Phishers are using encrypted restricted-permission messages (.rpmsg) attached in phishing emails to steal Microsoft 365 account credentials.
“[The campaigns] are low volume, targeted, and use trusted cloud services to send emails and host content (Microsoft and Adobe),” say Trustwave researchers Phil Hay and Rodel Mendrez. “The initial emails are sent from compromised Microsoft 365 accounts and appear to be targeted towards recipient addresses where the sender might be familiar.”
Phishing emails with Microsoft Encrypted Restricted Permission Messages
The phishing emails are sent from a compromised Microsoft 365 account to individuals working in the billing department of the recipient company.
Phishing email with a encrypted restricted-permission message (Source: Trustwave)
The emails contain a .rpmsg (restricted permission message) attachment and a “Read the message” button with a long URL that leads to office365.com for message viewing.
To see the message, the victims are asked to sign in with their Microsoft 365 email account or to request a one-time passcode.
After using the received passcode, the victims are first shown a message with a fake SharePoint theme and are asked to click on a button to continue. They are then redirected to a document that looks like it’s hosted on SharePoint but it’s actually hosted on the Adobe’s InDesign service.
They are again asked to click on a button to view the document, and are taken to a domain that looks like the one from the original sender (e.g., Talus Pay), featuring a progress bar.
In the background, the open source FingerprintJS library collects the user’s system and browser information and, finally, the victim is shown a spoofed Microsoft 365 login page and is asked to sign in with their credentials.
Hiding from security solutions
“The use of encrypted .rpmsg messages means that the phishing content of the message, including the URL links, are hidden from email scanning gateways. The only URL link in the body of the message points to a Microsoft Encryption service,” Hay and Mendez noted.
“The only clue that something might be amiss is the URL has a specified sender address (chambless-math.com) unrelated to the From: address of the email. The link was likely generated from yet another compromised Microsoft account.”
They advise organizations to:
- Block, flag or manually inspect .rpmsg attachments
- Monitor incoming email streams for emails originating from MicrosoftOffice365@messaging.microsoft.com and having the subject line “Your one-time passcode to view the message”
- Educate users about the consequences of decrypting or unlocking content from unsolicited emails
- Implement MFA.