--- title: "Encrypted RPMSG Exploited In Microsoft 365 Phishing – Cybersecurity News | Phish Protection" description: "Online attacks continue to become more sophisticated, and malicious players are deploying more innovative tactics than ever to launch phishing attacks." image: "https://phishprotection.com/og/blog/cybersecurity-updates-for-the-week-22-of-2023.png" canonical: "https://phishprotection.com/blog/cybersecurity-updates-for-the-week-22-of-2023/" --- Quick Answer Online attacks continue to become more sophisticated, and malicious players are deploying more innovative tactics than ever to launch \[phishing attacks\](/resources/7-most-common-phishing-attacks-and-learning-to-protect-against-them). One of the latest tactics is using \*\*RPMSG files\*\* to extract users’ Microsoft login credentials. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybersecurity-updates-for-the-week-22-of-2023%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Encrypted%20RPMSG%20Exploited%20In%20Microsoft%20365%20Phishing%20%26%238211%3B%20Cybersecurity%20News&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybersecurity-updates-for-the-week-22-of-2023%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybersecurity-updates-for-the-week-22-of-2023%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybersecurity-updates-for-the-week-22-of-2023%2F&title=Encrypted%20RPMSG%20Exploited%20In%20Microsoft%20365%20Phishing%20%26%238211%3B%20Cybersecurity%20News "Share on Reddit") [ ](mailto:?subject=Encrypted%20RPMSG%20Exploited%20In%20Microsoft%20365%20Phishing%20%26%238211%3B%20Cybersecurity%20News&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybersecurity-updates-for-the-week-22-of-2023%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2023/05/protection-from-phishing-1.jpg) Online attacks continue to become more sophisticated, and malicious players are deploying more innovative tactics than ever to launch [phishing attacks](/resources/7-most-common-phishing-attacks-and-learning-to-protect-against-them). One of the latest tactics is using **RPMSG files** to extract users’ Microsoft login credentials. In recent development, threat actors have adopted a new attack mechanism in the phishing world. They are utilizing encrypted [RPMSG](https://betterstudio.com/file-types/rpmsg-file-format/) attachments delivered through compromised **Microsoft 365 accounts**. _The attack vectors have been designed to steal the Microsoft credentials of users and are specifically crafted to **evade detection** by email security gateways._ RPMSG (restricted permission message) files use Microsoft’s **Rights Management Services (RMS)** for encrypting email message attachments. It delivers an additional layer of protection to sensitive information as they restrict access only to authorized recipients. ![Protection from phishing](https://media.mailhop.org/phishprotection/images/2023/05/protection-from-phishing-1.jpg) In a recent discovery by Trustwave, a platform known for its rapid threat detection and response, attackers have successfully tricked victims into divulging their **Microsoft credentials** using [fake login](https://www.cpomagazine.com/cyber-security/over-50000-fake-login-pages-targeting-major-brands-including-apple-paypal-microsoft-and-facebook/) forms. The online attackers have managed to leverage the authentication requirements of RPMSG to exploit the vulnerabilities. ### How Does the New Phishing Attack Model Work? The new wave of online attacks **begins with an email** from a compromised Microsoft 365 account. These emails often impersonate legitimate organizations, replicating a typical phishing attack mechanism. Trustwave identified Talus Pay, a payment processing organization, as a compromised account. The phishing emails prompt recipients to click a “Read the message” button to decrypt and access the protected message. Usually, these recipients are targeted **members of the billing** department. Once they click the button, they are redirected to an [Office 365](/content/office-365-phishing-protection/office-365-atp-anti-phishing) webpage. This page requests them to **sign into** their Microsoft account for authentication. Once they receive authentication through this MS service, the attackers present their phishing emails to them. That leads them to a **counterfeit SharePoint document** hosted on Adobe’s InDesign service. A “Click here to Continue” button within the document redirects victims to a final destination. They find an empty page displaying a “Loading…Wait” message that serves as a [decoy](https://www.securityweek.com/ransomware-used-decoy-destructive-cyberattacks-ukraine/). At the same time, a [malicious script](https://www.geeksforgeeks.org/malicious-script/) collects various pieces of system information. That includes crucial data such as connect token and hash, video card renderer information, visitor ID, system language, hardware concurrency, device memory, installed browser plugins, OS architecture, and browser window details. Once the malicious players collect the data, they display a **cloned Microsoft 365 login** form to the victims. If they enter any passwords or usernames, the attackers receive the details on their servers. ### What Makes This Attack Mechanism So Difficult to Detect? > “Microsoft’s built-in phishing protection in Office 365 catches the obvious attacks, but it consistently misses targeted spear phishing and zero-day threats. We see this every day - customers come to us after an incident that Microsoft Defender didn’t catch. Adding a dedicated anti-phishing layer takes five minutes and closes that gap.” - **Adam Lundrigan**, CTO, DuoCircle Trustwave researchers explain that the **targeted nature** of these phishing attacks makes it challenging for cybersecurity experts to detect their operations. Besides, the attackers use trusted [cloud services](https://www.bleepingcomputer.com/news/security/new-cisa-tool-detects-hacking-activity-in-microsoft-cloud-services/) like Microsoft and Adobe to dispatch phishing emails. _Furthermore, the hosting content remains on these platforms, which makes the system **immune to easy detection**._ Trustwave has advised enterprises and businesses to **educate their users** to mitigate risks associated with phishing attacks. Once the potential victims know the threat’s nature, they can take adequate [phishing protection](/) measures to draw their line of defense . ### How Should Organizations Brace Themselves to Counter Phishing Attacks? As [phishing techniques](/content/phishing-techniques) continue to evolve, individuals and organizations **must remain vigilant**. Employees must exercise caution while interacting with emails and keep their security measures current. Encrypted RPMSG messages present a **new challenge** for email scanning gateways. Under this new attack model, the phishing content, including URL links, remains concealed . The email body has a single URL link pointing to an encryption service of Microsoft. However, a potential **red flag** is the URL’s sender address (e.g., chambless-math.com). The sender address is not related to the email’s apparent sender. This link is likely generated from another compromised [Microsoft account](https://securityintelligence.com/news/phishing-campaign-distributes-fake-microsoft-account-notifications/). Cybersecurity experts recommend the following measures to mitigate the risks associated with these phishing attacks. - Maintain a **protective approach** against inbound messages with .rpmsg attachments from external sources . Depending on the expected volume and the necessity of receiving such attachments, your employees may choose to block, flag, or manually inspect them. - Organizations **must be watchful** of the subject line of incoming emails from the source,[MicrosoftOffice365@messaging.microsoft.com](mailto:MicrosoftOffice365@messaging.microsoft.com). If the subject line reads “Our one-time passcode to view the message,” it may be a [phishing attempt](https://www.zawya.com/en/press-release/research-and-studies/retail-giant-walmart-ranks-first-in-list-of-brands-most-likely-to-be-imitated-in-phishing-attempts-in-q1-2023-xfcron8p). This surveillance can detect users who have received RPMSG messages and have **requested a passcode**. - Trustwave also advises the users **not to try and unlock or decrypt** messages received from unknown sources. They also recommend enabling [multi-factor authentication (MFA)](https://www.globenewswire.com/en/news-release/2023/04/17/2648534/0/en/Multi-Factor-Authentication-Market-to-Reach-Valuation-of-US-49-7-Bn-at-CAGR-of-15-2-by-2032-Market-us-Report.html) for Microsoft 365 accounts. It will erect a robust wall of defense to repel the chances of unauthorized access and boost security. ![Office 365 email protection](https://media.mailhop.org/phishprotection/images/2023/05/office-365-email-protection-0103.jpg) ### Final Words Cybersecurity experts **continue to track** this RPMSG-based [malicious campaign](https://securitybrief.com.au/story/bitdefender-finds-malicious-campaign-active-on-google-play) and recommend updated protective measures as necessary. By implementing these mitigation strategies and staying informed about emerging threats, organizations can **strengthen their defense** against targeted phishing attacks exploiting encrypted RPMSG messages. ### Protect Your Organization - [Learn how phishing attacks work and how to spot them](/learn-what-is-phishing/) - [See how Phish Protection blocks threats in real time](/anti-phishing-tools/) ## Topics [ Announcements ](/tags/announcements/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Intermediate 5m Cybersecurity Updates For The Week 33 of 2022 Aug 22, 2022 ](/blog/cyber-security-news-update-week-33-2022/)[ Intermediate 6m Cybersecurity Updates For The Week 41 of 2022 Oct 21, 2022 ](/blog/cybersecurity-news-21-oct-2022/)[ Intermediate 5m Cybersecurity Updates For The Week 1 of 2021 Jan 1, 2021 ](/blog/cybersecurity-updates-for-the-week-1-of-2021/)[ Intermediate 6m Cybersecurity Updates For The Week 1 of 2022 Jan 7, 2022 ](/blog/cybersecurity-updates-for-the-week-1-of-2022/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Encrypted RPMSG Exploited In Microsoft 365 Phishing – Cybersecurity News","description":"Online attacks continue to become more sophisticated, and malicious players are deploying more innovative tactics than ever to launch phishing attacks.","url":"https://phishprotection.com/blog/cybersecurity-updates-for-the-week-22-of-2023/","datePublished":"2023-05-29T07:42:03.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2023-05-29T07:42:03.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/cybersecurity-updates-for-the-week-22-of-2023/"},"articleSection":"intermediate","keywords":"Announcements","wordCount":821,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2023/05/protection-from-phishing-1.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"How Does the New Phishing Attack Model Work?","acceptedAnswer":{"@type":"Answer","text":"The new wave of online attacks **begins with an email** from a compromised Microsoft 365 account. These emails often impersonate legitimate organizations, replicating a typical phishing attack mechanism. Trustwave identified Talus Pay, a payment processing organization, as a compromised account."}},{"@type":"Question","name":"What Makes This Attack Mechanism So Difficult to Detect?","acceptedAnswer":{"@type":"Answer","text":"> \"Microsoft's built-in phishing protection in Office 365 catches the obvious attacks, but it consistently misses targeted spear phishing and zero-day threats. We see this every day - customers come to us after an incident that Microsoft Defender didn't catch. Adding a dedicated anti-phishing lay..."}},{"@type":"Question","name":"How Should Organizations Brace Themselves to Counter Phishing Attacks?","acceptedAnswer":{"@type":"Answer","text":"As [phishing techniques](/content/phishing-techniques) continue to evolve, individuals and organizations **must remain vigilant**. Employees must exercise caution while interacting with emails and keep their security measures current."}}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://phishprotection.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Encrypted RPMSG Exploited In Microsoft 365 Phishing – Cybersecurity News","item":"https://phishprotection.com/blog/cybersecurity-updates-for-the-week-22-of-2023/"}]} ```