Security specialists at Trustwave have discovered that hackers are using encrypted Restricted Permission Message (RPMSG) files sent through compromised Microsoft 365 accounts to steal credentials. These malicious attachments are designed to bypass email security gateways and present victims with a fake login form. When victims click on the “read message” button to “decrypt” and open the message, they are redirected to an Office 365 page where they are requested to log in with their Microsoft account. This redirects them to a malicious script that installs malware, which steals information such as visitor ID, connect token and hash, video card rendering information, device memory, hardware concurrency, installed browser plugins, browser window details, and OS architecture. The usernames and passwords are then sent to servers controlled by the attackers.
According to the researchers, these types of attacks are difficult to detect and counter due to their low volume and goals. The use of trusted cloud services such as Microsoft and Adobe also makes it easier for hackers to carry out these attacks. The researchers at Trustwave recommend the use of Multi-Factor Authentication (MFA) as the main remedy.
