• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Interlock ransomware group deploys new PHP-based RAT via FileFix

 | 

Global Louis Vuitton data breach impacts UK, South Korea, and Turkey

 | 

Experts uncover critical flaws in Kigen eSIM technology affecting billions

 | 

Spain awarded €12.3 million in contracts to Huawei

 | 

Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb

 | 

Wing FTP Server flaw actively exploited shortly after technical details were made public

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 53

 | 

Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

McDonald’s job app exposes data of 64 Million applicants

 | 

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Attackers use encrypted RPMSG messages in Microsoft 365 targeted phishing attacks

Attackers use encrypted RPMSG messages in Microsoft 365 targeted phishing attacks

Pierluigi Paganini May 29, 2023

Experts warn of phishing attacks that are combining the use of compromised Microsoft 365 accounts and .rpmsg encrypted emails.

Trustwave researchers have observed threat actors using encrypted RPMSG attachments sent via compromised Microsoft 365 accounts in a phishing campaign aimed at stealing Microsoft credentials.

RPMSG files are used to deliver e-mails with Rights-Managed Email Object Protocol enabled. This protocol controls e-mail access and usage permissions. Instead of a plain text, e-mails via RPMSG files are sent with content encrypted and stored as encrypted file attachment.

The recipients can read the encrypted messages only after being authenticated with their Microsoft account or obtaining a one-time passcode. 

The attacks analyzed by Trustwave commenced with a phishing message originating from a compromised Microsoft 365 account, in this case from the payments processing company Talus Pay.

“The recipients were users in the billing department of the recipient company. The message shows a Microsoft encrypted message. In the email, the From: and To: email address displayed in the header were the same, but the message was delivered to various third party recipients.” reads the report published by Trustwave.

RPMSG files phishing

The message attempts to trick recipients into clicking the “Read the message” button to decrypt the protected message. Upon clicking the link, the recipients are redirected to an Office 365 webpage with a request to sign into their Microsoft account.

Once authenticated with the Microsoft service, the recipients are redirected to a page displaying the attackers’ phishing email. The message contains a “Click here to Continue” button that points to a fake SharePoint document hosted on Adobe’s InDesign service.

RPMSG files phishing

If the recipient clicks on “Click Here to View Document” on the Adobe document, he will be redirected to the final page, which resembles the domain of the original sender, Talus Pay. However, this landing page has a .us TLD and was registered recently on May 16, 2023.

​The page only displays a “Loading…Wait” message in the title bar, while in the background it relies on a Javascript that collects system information.

The script uses the open source FingerprintJS library to collect recipient’s data, including visitor ID, connect token (hardcoded from the configuration), connect hash (hardcoded from the configuration), video card renderer information, system language, device memory, hardware concurrency (# of processor), browser plugins installed, browser window size, orientation, and screen resolution, and OS architecture.

Once the script has completed the collection data, the page will show a fake cloned Microsoft 365 login form. Once the recipient has provided its credentials, they will be sent to a remote server under the control of the attackers.

“These phishing attacks are challenging to counter. They are low volume, targeted, and use trusted cloud services to send emails and host content (Microsoft and Adobe). The initial emails are sent from compromised Microsoft 365 accounts and appear to be targeted towards recipient addresses where the sender might be familiar.” concludes the report. “The use of encrypted .rpmsg messages means that the phishing content of the message, including the  URL links, are hidden from email scanning gateways. The only URL link in the body of the message points to a Microsoft Encryption service.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RPMSG files)


facebook linkedin twitter

Cybercrime Hacking hacking news information security news IT Information Security phishing Pierluigi Paganini RPMSG Security Affairs Security News

you might also like

Pierluigi Paganini July 14, 2025
Interlock ransomware group deploys new PHP-based RAT via FileFix
Read more
Pierluigi Paganini July 14, 2025
Global Louis Vuitton data breach impacts UK, South Korea, and Turkey
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Interlock ransomware group deploys new PHP-based RAT via FileFix

    Cyber Crime / July 14, 2025

    Global Louis Vuitton data breach impacts UK, South Korea, and Turkey

    Data Breach / July 14, 2025

    Experts uncover critical flaws in Kigen eSIM technology affecting billions

    Security / July 14, 2025

    Spain awarded €12.3 million in contracts to Huawei

    Intelligence / July 14, 2025

    Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb

    Security / July 13, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT