Dropbox Sign Breach Exposes Customer Data
Cloud storage giant Dropbox has recently disclosed a data breach affecting its eSignature service, Dropbox Sign (formerly HelloSign). The incident highlights the ongoing risks businesses…
Microsoft RPMSG messages used in new phishing attack inside Microsoft 365
Description
In targeted phishing attacks that bypass email security gateways, attackers employ encrypted RPMSG attachments sent through compromised Microsoft 365 accounts to steal Microsoft credentials.
RPMSG files are encrypted email message attachments generated using Microsoft’s Rights Management Services (RMS), which provide an additional safeguard for sensitive information by limiting access solely to authorised recipients.
To access these encrypted RPMSG attachments, recipients must authenticate using their Microsoft account credentials or acquire a one-time passcode to decrypt the contents.
The RPMSG are now being used through the authentication requirements to trick users into handing over their Microsoft 365 credentials using illegitimate login forms.
The malicious emails from the threat actors prompt the targets to click on a “Read the message” button to decrypt and access the protected message. This action redirects them to an Office 365 webpage where they are prompted to sign in to their Microsoft account.
Once the recipients authenticate themselves through this genuine Microsoft service, they can view the phishing email from the attackers. Upon clicking a “Click here to Continue” button, they are directed to a counterfeit SharePoint document hosted on Adobe’s InDesign service.
After clicking “Click Here to View Document,” users are directed to a final destination where they are presented with an empty page and a deceiving “Loading…Wait” message in the title bar. This distracts while a malicious script secretly gathers various system information.
The harvested data includes the visitor ID, connect token and hash, video card renderer details, system language, device memory, hardware concurrency, installed browser plugins, browser window specifics, and operating system architecture.
Once the script completes the data collection process, a replicated Microsoft 365 login form appears on the page. Any usernames and passwords entered into this form are transmitted to servers controlled by the attackers.
Preventions
- Detecting and combating phishing attacks like these can be challenging due to their targeted nature and low volume.
- It is even trickier that the attackers utilise trusted cloud services like Microsoft and Adobe to send phishing emails and host content, making them appear more legitimate.
- It’s important to note that encrypted RPMSG attachments hide phishing messages from email scanning gateways. In these attacks, the phishing email typically contains just one hyperlink, which directs potential victims to a genuine Microsoft service.
- Organisations can educate their staff about this threat and warn them not to attempt to decrypt or open unexpected messages from unknown sources.
- Additionally, organisations can enable Multi-Factor Authentication (MFA) as a preventive measure to reduce the chances of Microsoft 365 accounts becoming compromised.
- Ensure you keep Microsoft 365 updated with the latest security patches. Updates could also help mitigate such attacks.
Related links
Related articles
Social Media Fraud: The Evolving Threat and How to Defend Yourself
Social media platforms offer connection and entertainment, but they’ve also become a hunting ground for sophisticated scammers. These criminals are increasingly turning to a combination…
DarkGate Malware: Threat Exploiting AutoHotkey
The DarkGate malware family, a persistent threat since 2018, has recently resurfaced in a sophisticated global campaign. This Remote Access Trojan (RAT), built using the…