Microsoft Encrypted Restricted Permission Messages Deliver Phishing

Over the past few days, we have seen phishing attacks that use a combination of compromised Microsoft 365 accounts and .rpmsg encrypted emails to deliver the phishing message. At this stage, we are exploring and uncovering different aspects of this campaign and will share here some of our observations to date.

The Email

It starts with an email that originated from a compromised Microsoft 365 account, in this case from Talus Pay, a payments processing company. The recipients were users in the billing department of the recipient company. The message shows a Microsoft encrypted message. In the email, the From: and To: email address displayed in the header were the same, but the message was delivered to various third party recipients.

Note the email has a .rpmsg attachment, a Microsoft technology which stands for restricted permission message file. Essentially it is an encrypted email message stored as an attachment. As a recipient, you must be authorized to view the message. This check is performed by some form of authentication by the Rights Management service that was used to protect the file. Your Microsoft email and password might be checked or you might apply for a one-time passcode. The permissions can also extend to whether the recipient can forward the original message.

Note: After this email was sent, Talus Pay, to its credit, sent out an email to its contacts warning that one of its accounts had been compromised and it was investigating.

Viewing the Message

In the message body, behind the “Read the message” button there is a long URL that points to office365.com in order to be able to view the message:

hxxps://outlook.office365[.]com/Encryption/retrieve.ashx?recipientemailaddress=[redacted]&senderemailaddress=rmcbride%40chambless-math.com&senderorganization=AwGEAAAAAoAAAAADAQAAANPu52tb0WpLrMi8HJFYSWFPVT1jaGFtYmxlc3NtYXRoLm9ubWljcm9zb2Z0LmNvbSxPVT1NaWNyb3NvZnQgRXhjaGFuZ2UgSG9zdGVkIE9yZ2FuaXphdGlvbnMsREM9TkFNUFIxNEEwMDcsREM9UFJPRCxEQz1PVVRMT09LLERDPUNPTRAVEmk%2fx2JNil9Bqbi8411DTj1Db25maWd1cmF0aW9uLENOPWNoYW1ibGVzc21hdGgub25taWNyb3NvZnQuY29tLENOPUNvbmZpZ3VyYXRpb25Vbml0cyxEQz1OQU1QUjE0QTAwNyxEQz1QUk9ELERDPU9VVExPT0ssREM9Q09NAQ%3d%3d&messageid=%3cPH7PR19MB780122DAFF0EDCF5E97BFB26D3799%40PH7PR19MB7801.namprd19.prod.outlook.com%3e&cfmRecipient=SystemMailbox%7bD0E409A0-AF9B-4720-92FE-AAC869B0D201%7d%40chamblessmath.onmicrosoft.com&consumerEncryption=false&senderorgid=5526729b-5da8-4878-b9f5-96944d3c71c6&urldecoded=1&e4e_sdata=gn5PbAvAmx%2bZiHudqA2%2bxzmczqO%2b74dasBg%2bMjGZzpR7h%2fKpCNG%2bB%2bC9oraTIgHVWFBtsn4r%2bwRBMY69GQ3vgLpv%2fZ96qN3U6P8iBXbp21knZRwXiQLSnHrbc33qkrzr4ngC5NH7%2bAqV2oQgqGNOam9MxBsHV%2fb3Eprr6oNm3mGhylJVmqeL6dl0QcPVCqJSWg8EshTztuFtJmG5WwO2%2fLL0OAe39SXVckcPVs1UFH3omi0OodRLlwZZT1VZEW56H6lSChGr7nNRLzGb82nC4CAINeZSv1DvQso%2bwWuuxiCtyRquMRGL2YBfAdgkIqHzKJI0iZMuEhWjl%2b%2buACjVxA%3d%3d

Note the sender email address hidden in that link:

senderemailaddress=rmcbride@chambless-math.com

And the Microsoft 365 organization domain:

chamblessmath.onmicrosoft.com

Clicking the link will show this Microsoft Encrypted message page: 

If you don’t authenticate with your Microsoft account, you can ask for a one-time passcode which Microsoft will email to you to be able to decrypt the message. 

If you generate a passcode and enter it, you would then be able to view the contents of the message online at Microsoft. The message below has a bogus SharePoint theme.

Landing Page and Redirection

If you clicked the “Click here to Continue,” you would be directed to another fake SharePoint document, this time hosted on Adobe’s InDesign service:

hxxps://indd.adobe[.]com/view/4c97ff1d-d526-4673-83bf-594684c6885f

The Phishing Site

If you “Click Here to View Document” on the Adobe document you will be redirected to the final destination, the domain of which resembles the domain of the original sender, Talus Pay. But this domain has a .us TLD and was registered recently on the 16 May 2023.

hxxps://taluspay.taluspays[.]us/?1No=o4vOLE

If you browsed to this site, you would immediately see a “Loading…Wait” in the title bar. 

But in the background, JavaScript, using the open source FingerprintJS library, would be executed to fingerprint the user’s browser.  Data collected includes:

• visitor ID
• connect token (hardcoded from the configuration),
• connect hash (hardcoded from the configuration),
• video card renderer information
• system language
• device memory
• hardware concurrency (# of processor)
• browser plugins installed
• browser window size, orientation, and screen resolution
• OS architecture

Finally, you would be presented the final phony Microsoft 365 phishing credential site.

Other Samples

In addition to the message example above, we have seen two other email examples, and are aware of other URLs as well (for example this Joe Sandbox report).  No doubt there are others as well.

The other email examples were very similar in style but were received from a different compromised Microsoft 365 accounts, they had the following subjects:

Farmers and Merchants State Bank 05/18

SCANTRON 05/19

The messages were almost identical in style to the Talus Pay sample.

The same email address was used in the link:

senderemailaddress=rmcbride@chambless-math.com

But they pointed to slightly different Adobe hosting links. Below is the one for Farmers and Merchant’s State Bank, which was still alive at the time of visiting:

hxxps://indd.adobe[.]com/view/2eafc949-d4c0-4def-82e0-a5a87c028d8a

For the email relating to the Farmers Bank, the final destination was again a domain related to the sender of the email with a .us TLD, this time registered on 18 May 2032. This link was dead at the time of visiting.

hxxps://fmsbscotland.fmsbscotland[.]us/?L8N=KAe5

Conclusion and Mitigation

These phishing attacks are challenging to counter. They are low volume, targeted, and use trusted cloud services to send emails and host content (Microsoft and Adobe). The initial emails are sent from compromised Microsoft 365 accounts and appear to be targeted towards recipient addresses where the sender might be familiar.

The use of encrypted .rpmsg messages means that the phishing content of the message, including the  URL links, are hidden from email scanning gateways. The only URL link in the body of the message points to a Microsoft Encryption service. The only clue that something might be amiss is the URL has a specified sender address (chambless-math.com) unrelated to the From: address of the email.  The link was likely generated from yet another compromised Microsoft account.

In terms of mitigation:

• Consider how you handle inbound messages with .rpmsg attachments from outside parties. Depending on how many you expect, or your users’ need to receive them, you may want to consider blocking, flagging or manually inspecting .rpmsg attachments.
• Monitor inbound email streams for emails from MicrosoftOffice365@messaging.microsoft.com with the Subject: “Your one-time passcode to view the message”. This may give insight into users who have received .rpmsg messages and have requested a passcode.
• Educate your users on the nature of the threat, and not to attempt to decrypt or unlock unexpected messages from outside sources.
• To help prevent Microsoft 365 accounts being compromised, enable Multi-Factor Authentication (MFA).

For Trustwave MailMarshal customers, you can create a rule for inbound traffic, and recognize the attachment type by the FileType “Restricted-permission message” under “Azure IRM protected documents.” You can also use a Filename extension rule with *.rpmsg.  In terms of action, you can choose to quarantine, copy, or stamp the message or subject with a warning. We are continuing to track this campaign and are responding with updated protections as needed.

IOCs

Sender Address used in links in .rpmsg messages:

rmcbride@chambless-math.com

Intermediate Landing Pages:

hxxps://indd.adobe[.]com/view/4c97ff1d-d526-4673-83bf-594684c6885f
hxxps://indd.adobe[.]com/view/2eafc949-d4c0-4def-82e0-a5a87c028d8a

Phishing Sites:

hxxps://taluspay.taluspays[.]us/?1No=o4vOLE
hxxps://fmsbscotland.fmsbscotland[.]us/?L8N=KAe5

Yara rules for Phishing page:

rule rpmsg_phish_landing_page
{
    meta:
        description = "detects JS obfuscation on the intermediate landing page"
    strings:
        $str_conn = "connectURL"
        $str_foll = "followRedirectURL"
        $str_ckey= "cookieKey"
        $str_cdmn= "cookieDomain"
        $str_ctest = "cookietest=1"
        $string_fpjs = "https://m1.openfpcdn.io/fingerprintjs/"
    condition:
        all of them
}

rule rpmsg_phish_main_page

{

    meta:

        description = "detects the main phishing page configuration"

        author = "Trustwave SpiderLabs"

    strings:

        $str_htmltag = "<!DOCTYPE html>"

        $str1 = "dumpLocalCookies"

        $str2 = "dumpLocalStorage"

        $str3 = "WebSocketSubject"

        $str4 = "WebSocketCtor"

        $str5 = "hookServerURL"

        $b64_wss = "d3NzOi"

        $str7 = "https://github.com/zloirock/core-js"

    condition:

        all of them

}