A new phishing technique has been identified by security researchers that uses compromised Microsoft 365 accounts to send phishing emails that contain .RPMSG attachments, which are used in a sophisticated attack to gain access to Microsoft 365 accounts.

RPMSG files are used to deliver e-mails with the Rights-Managed Email Object Protocol enabled. In contrast to regular emails that are sent in plain text and can be read by anyone or any security solution, these files are encrypted and are stored as an encrypted file attachment. The files can also be used to limit the ability of users to forward or copy emails. The intended recipient can read the encrypted messages after they have been authenticated, either by using their Microsoft 365 credentials or a one-time passcode.

Phishing attacks using these files give the impression that the messages are protected and secured, as access is restricted to authorized users. If a user is unfamiliar with RPMSG files and they perform a Google search, they will quickly discover that these files are used for secure emails, giving the impression that the emails are genuine.

The use of RPMSG files in phishing attacks was discovered by researchers at Trustwave. In this scam, an email is sent from a compromised account, and since these accounts are at legitimate businesses, the emails appear genuine. For example, one of the scams used a compromised account at the payment processing company Talus Pay.

The emails are sent to targeted individuals, such as employees in the billing department of a company. The emails are encrypted, and credentials need to be entered before the content of the email can be viewed. In this campaign, the emails tell the recipient that Talus Pay has sent them a protected message, and the email body includes a “Read the message” button that users are prompted to click. The emails also contain a link that the user can click to learn about messages protected by Microsoft Purview Message Encryption.

If the recipient clicks the link to read the message, they are directed to a legitimate Office 365 email webpage where they are required to authenticate with their Microsoft 365 credentials. After authentication, the user is redirected to a fake SharePoint document, which is hosted on the Adobe InDesign service. If they try to open the file, they are directed to the final destination URL that shows a “Loading… Wait” message, and while on that URL, a malicious script runs and collects system information. When that process is completed, a cloned Microsoft 365 login form is displayed, which sends the username and password to the attacker’s command and control server if entered. The script collects information such as visitor ID, connect token and hash, video card renderer information, system language, device memory, hardware concurrency, installed browser plugins, browser window details, and OS architecture.

Anti-Phishing Demo
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo

The problem with phishing attempts involving encrypted content is email security solutions are unable to decrypt the content. In this scam, the only URL in the email directs the user to a legitimate Microsoft service which is not malicious, making these phishing attempts difficult to block without also blocking legitimate Microsoft encrypted emails. The key to preventing this type of sophisticated phishing attack is education. Through security awareness training, employees should be warned never to open unsolicited encrypted messages, even if the messages appear to have been sent by a legitimate user. They should also be conditioned to report any such messages to their IT security team for further investigation.

The SafeTitan security awareness training program can be used by businesses to create training courses for employees, tailored to each individual’s role and the threats they are likely to encounter. The training content is engaging to improve knowledge retention and can be easily updated to include information on the latest threats, such as phishing attacks involving RPMSG files. The platform also includes a phishing simulator that can be used to automate phishing simulations on the workforce, and RPMSG phishing emails can easily be incorporated into the simulator to check whether employees are fooled by these sophisticated attacks. If a user fails a phishing simulation, they are automatically provided with training content in real-time relevant to the simulation they failed. This on-the-spot training is the most effective way of re-educating the workforce and ensures training is provided at the point when it is most likely to be effective.

For more information on SafeTitan Security awareness training and phishing protection, call the TitanHQ team today.

Jennifer Marsh

With a background in software engineering, Jennifer Marsh has a passion for hacking and researching the latest cybersecurity trends. Jennifer has contributed to TechCrunch, Microsoft, IBM, Adobe, CloudLinux, and IBM. When Jennifer is not programming for her latest personal development project or researching the latest cybersecurity trends, she spends time fostering Corgis.