Modern phishing methods involve abusing legitimate cloud services to circumvent email security solutions and direct malicious email directly to the victim’s inbox.
In this latest example, Trustwave cybersecurity researchers have discovered a cybercriminal who is abusing Microsoft’s Rights Management Services (RMS) to deliver links to fake landing pages to their victims. The researchers say the attacks are highly targeted and quite difficult to mitigate.
During the attack, cybercriminals will use a previously stolen email account to send a message to their victim. The message will contain an attachment created with the RSM service, which means it will be encrypted and will have the .RPMSG extension. Microsoft designed RSM to offer an extra layer of protection for sensitive files by forcing readers to authenticate beforehand.
Theft of sensitive data
Authentication can be done with a Microsoft account or a one-time passcode.
Once users authenticate and are able to read the message, they will be redirected to a fake SharePoint document hosted by Adobe’s InDesign. The document contains a call-to-action “Click here to view the document” which takes users to a blank page with the message “Loading”. It’s just a distraction while a malicious script sucks sensitive data in the background.
Data includes visitor ID, connection token and hash, graphics card rendering information, system language, device memory, hardware concurrency, installed browser plug-ins, browser window details, and operating system architecture. Once this process is complete, the page will be reloaded into a fake Microsoft 365 login form that steals the visitor’s login information and sends it to the attackers.
“Inform your users about the nature of the threat and do not try to decrypt or unlock unsolicited messages from third-party sources,” Trustwave wrote in its report.
“To prevent your Microsoft 365 accounts from being compromised, enable Multi-Factor Authentication (MFA).”
Multi-factor authentication isn’t foolproof, but it makes cybercriminals work a lot harder to gain access to their target’s endpoints. Given that it is quite simple to set up, MFA is praised in the cybersecurity community and is considered the industry standard.
By: Beeping Computer