The COVID-19 pandemic has forced employees to work from home, making it harder than ever to secure environments. In this attack, attackers impersonate Zoom in order to steal Microsoft Office 365 credentials of employees—hoping to catch busy employees off-guard.
Summary of the Attack
- Platform: Office 365
- Email Security Bypassed: IronPort
- Payload: Malicious Link
- Technique: Spoofed Email
Overview of the Office 365 Phishing Attack
Zoom has become an essential tool for remote working at many companies, as employees use it to video conference their colleagues, take part in all-hands meetings, and screen share in meetings. As a result, there has been an increased number of email fraud attacks impersonating this popular video conferencing application.
In this attack, the email is sent from an email address that spoofs the official Zoom email address. It mimics an automated notification from Zoom and claims that the recipient will be unable to utilize the service until they use the link provided in the email to activate their account again.
The email contains a link concealed within the text that redirects to a page hosted on an unrelated domain, which is likely hijacked by the attackers. This link redirects to a fake Microsoft login page hosted on another domain. Though the email impersonates the Zoom brand, the attacker is targeting the recipient's Microsoft credentials, which can be used to access a larger trove of sensitive information.
The attackers attempt to take advantage of busy workers, who need to access Zoom and may not think to check that the URL has been redirected. Should recipients fall victim to this attack, their Microsoft login credentials, as well as any other information stored on those accounts, will be compromised. Once compromised, attackers would have access to existing email conversations, files within Microsoft Teams and Microsoft Sharepoint, as well as the ability to use that account to send additional email attacks targeting the victim's coworkers, partners, and customers.
Why This Attack Bypassed Existing Security
In this attack, the email appears to be sent from the official Zoom email address, giving the email itself an air of legitimacy. The landing page of the attack also looks identical to the Microsoft login page. At first glance, one would be easily fooled by the advanced tactics utilized by the attacker.
Abnormal was able to detect this attack when others couldn't due to the abnormal recipient pattern where all recipients were BCC'ed, as well as the impersonation of such a well-known brand during a time when that brand has seen increased spoofs.
As we work from home, this email serves as a reminder that cybercriminals will take advantage of any situation and employees must be prepared. It's vital to always check the sender, the email content, and the link to ensure that all login requests are legitimate—no matter how convincing the email or the landing page may be.
Interested in how Abnormal can protect your organization from brand impersonation emails and credential phishing attacks? Request a demo to learn more.