CTI Flash Briefing
Microsoft365 accounts targeted by attackers sending encrypted attachments
Breakdown
Microsoft created what they call restricted permission message files, which is an email message that is encrypted and saved as an attachment in a standard email. The recipient of the message must have authorization to view the attachment, which is checked with your Microsoft email & password or a one-time passcode. The phishing campaign abuses this option to bypass email filtering and attachment sandboxing systems to send a file to the target.
Overview
The attacker sends the email with the encrypted attachment. The recipient does have to provide a valid Microsoft email & password or request a one-time passcode which is all normal and valid. Once they open the attachment, it redirects to a fake document, in this case a SharePoint document, and then to a website created by the attacker. The site is setup to look like the page is stuck trying to load, but it is actually running malicious scripts in the background gathering info on the target. It will eventually load to a fake M365 login screen to get the target to also provide their Microsoft email and password to steal that info as well.
An image of the fake SharePoint document that appears to be hosted from a trusted Adobe link:
Recommendation
A lower volume targeted phishing attack is very hard to counter with only information security tools. This is an email from a trusted cloud service that has been compromised, with an attachment that has been encrypted with a valid Microsoft tool, and as mentioned above, designed so it can bypass email scanning tools and attachment monitoring. Trustwave has several suggestions on potential mitigations after their research on the activity:
1. Consider how you handle inbound messages with .rpmsg attachments from outside parties. Depending on how many you expect, or your users’ need to receive them, you may want to consider blocking, flagging or manually inspecting .rpmsg attachments.
2. Monitor inbound email streams for emails from MicrosoftOffice365@messaging.microsoft.com with the Subject: “Your one-time passcode to view the message”. This may give insight into users who have received .rpmsg messages and have requested a passcode.
3. Educate your users on the nature of the threat, and not to attempt to decrypt or unlock unexpected messages from outside sources.
4. To help prevent Microsoft 365 accounts being compromised, enable Multi-Factor Authentication (MFA).
Conclusion
To our current SOC partnerships, please reach out to our SOC team to learn more about the best steps in researching your exposure to this threat. If you have any questions on this on-going event or need any level of security assistance, please reach out to Hunter Strategy and we will be happy to discuss next steps in securing your IT systems!
Contact Us
contact@hunterstrategy.net
