Phishers use encrypted file attachments to steal Microsoft 365 account credentials

Help net security* reports phishers are using encrypted restricted-permission messages (.rpmsg) attached in phishing emails to steal Microsoft 365 account credentials.

The phishing emails are sent from a compromised Microsoft 365 account to individuals working in the billing department of the recipient company.

The emails contain a .rpmsg (restricted permission message) attachment and a “Read the message” button with a long URL that leads to for message viewing.

To see the message, the victims are asked to sign in with their Microsoft 365 email account or to request a one-time passcode.

After using the received passcode, the victims are first shown a message with a fake SharePoint theme and are asked to click on a button to continue. They are then redirected to a document that looks like it’s hosted on SharePoint but it’s actually hosted on the Adobe’s InDesign service.

They are again asked to click on a button to view the document, and are taken to a domain that looks like the one from the original sender (e.g., Talus Pay), featuring a progress bar.

In the background, the open source FingerprintJS library collects the user’s system and browser information and, finally, the victim is shown a spoofed Microsoft 365 login page and is asked to sign in with their credentials.

Commentary by Thomas Uhlemann, Security Specialist at ESET:

Email is still one, if not THE, most insecure means of (business) communication. Malicious actors do not have to break a lot of sweat when forging a phishing email sent from genuinely looking sender. This clever attack scenario highlights the importance of security strategies such as single sign-on, where a useris logged in automatically in legitimate and trustworthy networks or resources. Another one is of course awareness and security trainings for all employees! Employees in any organization can enjoy a much safer environment If they know:

  •  which signs to look for to spot phishing mails 
  •  which requests to log-in and where are legitimate
  •  that the security is more important than speed and that it’s absolutely fair to contact the supposed sender of the mail by phone or other means to make sure the request is valid

Mail- and Gateway-Security solutions can also assist in filtering out the majority of spam and phishing mails, so the workforce doesn’t have too much load in figuring out which mails are legit and which not. A reliable endpoint security solution, which is capable of scanning opened websites and URLs can also stop phishing sites from being accessed before an employee decides to give their credentials away.

*ESET does not bear any responsibility for the accuracy of this information.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s