Hackers are using encrypted Restricted Permission Message (RPMSG) files via compromised Microsoft 365 accounts to steal login credentials. This is according to security specialist Trustwave.
According to Trustwave, the RPMSG files are abused to trick victims into handing over their Microsoft login credentials via a phishing attack. The RPMSG attachments sent in phishing emails are intended to help the attackers bypass the operation of email security gateways.
RPMSG files are encrypted attachments that are intended to provide an extra layer of protection by making the contents accessible only to authorized recipients.
Attack path
The “legitimately” sent fake attachments dish victims a pretend login form. They must click a “read message” button to “decrypt” and open the message.
After this, they are redirected to an Office 365 page where they are asked to log in with their Microsoft account. Eventually, victims are redirected to a “Click Here to View Document,” a malicious script that installs malware.
This malware steals information such as the visitior ID, connect token and hash, video card rendering information, device memory, hardware concurrency, installed browser plugins, browser window details and OS architecture. Usernames and passwords are also eventually sent to servers controlled by the attackers.
Difficult to combat
According to the researchers, these types of attacks are difficult to detect and counter, the researchers point out. This is because of the low volume and targets. Also, the use of trusted cloud services such as Microsoft and Adobe makes it easy for hackers to carry out these attacks.
As the main remedy, Trustwave researchers advocate the use of MFA.
Also read: ‘Dutch hacker steals personal data of millions of Austrian citizens’