Modern-day phishing methods involve abusing legitimate cloud services to bypass email security solutions and place a malicious email right into the victim’s inbox.
In this latest example, cybersecurity researchers from Trustwave found a threat actor abusing Microsoft’s Rights Management Services (RMS) to provide links to fake landing pages to their victims. The attacks are highly targeted and difficult to mitigate, researchers said.
In the attack, threat actors use a previously stolen email account to send a message to their victim. The message contains an attachment created using the RSM service, meaning it will be encrypted and will carry the .RPMSG extension. Microsoft designed RSM to offer an additional layer of protection for sensitive files, by forcing readers to authenticate first.
Theft of sensitive data
Authentication can be done using a Microsoft account, or through a one-time passcode.
Once users are authenticated and given the ability to read the message, they are redirected to a fake SharePoint document hosted by Adobe’s InDesign service. The document contains a call-to-action “Click Here to View Document”, which takes users to an empty page with a “Loading” message. It’s just a distraction, while a malicious script siphons sensitive data in the background.
The data includes visitor ID, connect token and hash, video card renderer information, system language, device memory, hardware concurrency, installed browser plugins, browser window details, and OS architecture. Once this process is complete, the page will be reloaded with a fake Microsoft 365 login form that will steal the visitor’s login credentials and send them to the attackers.
“Educate your users on the nature of the threat, and not try to decrypt or open unexpected messages from external sources,” Trustwave said in its report.
“To help prevent Microsoft 365 accounts from being compromised, enable Multi-Factor Authentication (MFA).”
Multi-factor authentication is not foolproof but makes threat actors work harder to gain access to their target endpoints. Because it’s simple to set up, MFA is praised by the cybersecurity community and considered the industry standard.
Via: Bleeping Computer