In this attack, attackers are impersonating a notification from Zoom in order to steal Microsoft credentials of employees.
This is an attack that we’ve seen across several organizations, with specific elements of the attack (like the name and logo on the fake Office 365 landing page) customized for the company of each target recipient. Although the attackers are trying to disguise their location by using many different VPN sources, the messages all look similar, were sent during a short, discrete time period, and use the same VPN services, which leads us to believe that these are coordinated attacks by the same malicious actor.
What was the Attack?
- Setup: This attack leverages the changing work landscape as employees move to working from home because of COVID-19 shelter-in-place orders. As a result, people are switching to having online meetings through video conferencing software such as Zoom.
- Email Attack: This attacker impersonates Zoom by crafting a convincing email and landing page that mimics meeting notifications from Zoom. The email masquerades as an automated notification stating that the user has recently missed a scheduled meeting and implores the user to visit the link for more details and a recording of the meeting.
- Payload: The email contains a link to a fake login page hosted on “zoom-#####-web.app” (the #’s change between attacks). Links to the phishing page are hidden behind an innocuous and legitimate-looking Zoom link. Interestingly the link leads to a fake Microsoft login page with the name of the user’s organization and Zoom above the sign in location. This indicates that the attackers are more interested in the user’s Microsoft credentials, which can be used to access a larger trove of sensitive information.
- Result: Should recipients fall victim to this attack, their login credentials as well as any other information stored on accounts associated with Microsoft will be compromised.
Why is this attack effective?
- Urgency: The email pretends to be a notification that the user has missed a scheduled Zoom meeting and includes a link that conceivably contains more details and a recording. Furthermore, the messages states that Zoom will only keep the message for 48 hours, after which it will be deleted When the user clicks on the link to learn more, they will be brought to the fake login page and their credentials will be stolen by the attacker.
- Personalized email and landing page: The email appears to be a legitimate email from Zoom about a missed meeting. The message is formatted with the would-be victim’s username; additionally, the link in the email contains their username. The landing page is also a carbon copy of the Microsoft login page; except the only functionality on the phishing page are the login fields used to steal credentials. Recipients would be hard-pressed to understand that this was, in fact, a site designed specifically to steal their credentials.
- Timing: Given the current situation, people have become accustomed to various notifications and invitations from video conferencing software. As a result, users may not question the email and follow the link without further investigation.
Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.