Microsoft 365 phishing attempts using RPMSG encryption

Published May 30, 2023
Author: Ash Khan

Microsoft 365 phishing attempts using RPMSG encryption

Published May 30, 2023
Author: Ash Khan

In targeted phishing attempts meant to avoid detection by email security gateways, attackers are increasingly employing encrypted RPMSG files delivered via hacked Microsoft 365 accounts to steal email host credentials.


RPMSG files are also known as restricted permission message files. They are encrypted email attachments produced with Microsoft’s Rights Management Services (RMS). They provide an additional degree of security by restricting access to authorised recipients.

To decrypt the data, recipients must authenticate using their Microsoft account or get a one-time passcode.

According to email security solutions providers, hackers are using RPMSG’s authentication requirements to deceive targets into sharing their Microsoft credentials. 

The recent case from Talus Pay appears to start with an email that originated from a compromised Microsoft 365 account. The recipients were users in the recipient company’s billing department. Furthermore, the message appears to be a Microsoft encrypted message.

The emails instruct the targets to click a “Read the message” button to decrypt and access the encrypted message. After which they are sent to an Office 365 homepage with a request to sign into their Microsoft account.

The receivers could finally access the hackers’ phishing emails after authenticating with this valid Microsoft service. Which will redirect them to a bogus SharePoint once they click a “Click here to Continue” button.

Clicking “Click Here to View Document” takes you to the ultimate destination. It shows an empty page and a “Loading…Wait” banner in the title bar. This serves as a decoy for a malicious script to collect different system information.

Data stealing phishing attempts

Visitor ID, connect token and hash, visual card renderer information, system language, device memory, hardware concurrency, installed browser plugins, browser window details, and OS architecture are among the data retrieved.

When the script has finished gathering data from the targets, the page will display a cloned Microsoft 365 login form. It then transfers the input usernames and passwords to attacker-controlled servers.

Due to their low volume and targeted nature, such phishing assaults can be difficult to detect and stop. Furthermore, attackers enhance their tactics by leveraging reputable cloud services such as Microsoft and Adobe for phishing emails. Also host material adds another level of complexity and credibility.

Because the lone URL in the first phishing email directs prospective victims to a legitimate Microsoft service. Moreover, the encrypted RPMSG attachments also obscure phishing communications from email scanning gateways.

It is recommended to educate users on the nature of the threat. They should not attempt to decrypt or unlock unexpected messages from outside sources. To prevent Microsoft 365 accounts from being compromised, businesses should reduce the risks of phishing scams by enabling Multi-Factor Authentication.

Are you looking for a hosted email? Visit Now!