Phishing campaigns leveraged compromised Microsoft 365 accounts and .rpmsg encrypted emails to deliver deceptive messages. Victims are guided through a sequence of hosted pages (Adobe and Microsoft services) before entering credentials on a fake Microsoft 365 site, with browser fingerprinting occurring in the background. #TalusPay #FarmersandMerchantsStateBank
Keypoints
- The phishing emails originate from compromised Microsoft 365 accounts, notably Talus Pay, targeting recipients in the billing department.
- Emails include .rpmsg attachments, which are encrypted and require authentication to view content.
- The message body contains a link to view the encrypted message, which redirects to Microsoft/Office365 surfaces for authentication.
- The phishing flow uses a fake landing page hosted on Adobe InDesign and a secondary domain that resembles the sender (masquerading).
- A JavaScript-based fingerprinting step (FingerprintJS) collects device and browser details on the landing/phishing page.
- Several additional samples appeared from other compromised accounts (e.g., Farmers and Merchants State Bank, SCANTRON) with similar patterns.
- Mitigation focuses on handling .rpmsg attachments, MFA, user education, and monitoring inbound streams; Trustwave provides detections and rules for RPMSG content.
MITRE Techniques
- [T1078] Valid Accounts – The campaign used compromised Microsoft 365 accounts to send phishing emails. Quote: ‘The emails originated from a compromised Microsoft 365 account, in this case from Talus Pay’
- [T1566.001] Spearphishing Attachment – The email includes a .rpmsg attachment, a Microsoft technology which stands for restricted permission message file. Quote: ‘Note the email has a .rpmsg attachment, a Microsoft technology which stands for restricted permission message file.’
- [T1566.002] Spearphishing Link – The message contains a long URL behind the “Read the message” button that points to office365.com. Quote: ‘In the message body, behind the “Read the message” button there is a long URL that points to office365.com’
- [T1036] Masquerading – The phishing landing domain resembles the sender (Talus Pay) but uses a .us TLD and a recently registered domain. Quote: ‘the final destination, the domain of which resembles the domain of the original sender, Talus Pay. But this domain has a .us TLD and was registered recently on the 16 May 2023.’
- [T1082] System Information Discovery – The phishing site fingerprinting collects detailed browser/system data via FingerprintJS. Quote: ‘fingerprinting the user’s browser. Data collected includes: visitor ID, connect token…, OS architecture’
- [T1204] User Execution – The user must click through to view the encrypted content and then proceed to the credential page. Quote: ‘Clicking the link will show this Microsoft Encrypted message page’
Indicators of Compromise
- [Email Address] context – example: [email protected]
- [URL] context – example: hxxps://outlook.office365[.]com/Encryption/retrieve.ashx?recipientemailaddress=… (link behind the message)
- [URL] context – example: hxxps://indd.adobe[.]com/view/4c97ff1d-d526-4673-83bf-594684c6885f
- [URL] context – example: hxxps://indd.adobe[.]com/view/2eafc949-d4c0-4def-82e0-a5a87c028d8a
- [URL] context – example: hxxps://taluspay.taluspays[.]us/?1No=o4vOLE
- [URL] context – example: hxxps://fmsbscotland.fmsbscotland[.]us/?L8N=KAe5
- [Domain] context – example: chamblessmath.onmicrosoft.com
- [Domain] context – example: chambless-math.com
- [Domain] context – example: taluspay.taluspays.us
- [File] context – example: .rpmsg