Threat actors have recently been observed utilizing encrypted attachments sent via compromised Microsoft 365 accounts to steal Microsoft credentials in targeted phishing attacks designed to evade detection by email security gateways, according to security researchers at Trustwave.

RPMSG files (restricted permission message) are encrypted email message attachments created using Microsoft's Rights Management Services (RMS). The phishing emails are sent from a compromised Microsoft 365 account to users working in the billing department of the recipient business. To view the message, victims are asked to sign in with their Microsoft 365 email account or to request a one-time passcode and are then directed through various additional spoofed pages to access the documents. Read more at BleepingComputer.