Zoom Spoofed in Office 365 Credential Phishing Attack

July 8, 2020

The COVID-19 pandemic has forced employees to work from home, making it harder than ever to secure environments. In this attack, attackers impersonate Zoom in order to steal Microsoft Office 365 credentials of employees—hoping to catch busy employees off-guard.

Summary of the Attack

  • Platform: Office 365
  • Email Security Bypassed: IronPort
  • Payload: Malicious Link
  • Technique: Spoofed Email

Overview of the Office 365 Phishing Attack

Zoom has become an essential tool for remote working at many companies, as employees use it to video conference their colleagues, take part in all-hands meetings, and screen share in meetings. As a result, there has been an increased number of email fraud attacks impersonating this popular video conferencing application.

In this attack, the email is sent from an email address that spoofs the official Zoom email address. It mimics an automated notification from Zoom and claims that the recipient will be unable to utilize the service until they use the link provided in the email to activate their account again.

The email contains a link concealed within the text that redirects to a page hosted on an unrelated domain, which is likely hijacked by the attackers. This link redirects to a fake Microsoft login page hosted on another domain. Though the email impersonates the Zoom brand, the attacker is targeting the recipient's Microsoft credentials, which can be used to access a larger trove of sensitive information.

The attackers attempt to take advantage of busy workers, who need to access Zoom and may not think to check that the URL has been redirected. Should recipients fall victim to this attack, their Microsoft login credentials, as well as any other information stored on those accounts, will be compromised. Once compromised, attackers would have access to existing email conversations, files within Microsoft Teams and Microsoft Sharepoint, as well as the ability to use that account to send additional email attacks targeting the victim's coworkers, partners, and customers.

Why This Attack Bypassed Existing Security

In this attack, the email appears to be sent from the official Zoom email address, giving the email itself an air of legitimacy. The landing page of the attack also looks identical to the Microsoft login page. At first glance, one would be easily fooled by the advanced tactics utilized by the attacker.

Abnormal was able to detect this attack when others couldn't due to the abnormal recipient pattern where all recipients were BCC'ed, as well as the impersonation of such a well-known brand during a time when that brand has seen increased spoofs.

As we work from home, this email serves as a reminder that cybercriminals will take advantage of any situation and employees must be prepared. It's vital to always check the sender, the email content, and the link to ensure that all login requests are legitimate—no matter how convincing the email or the landing page may be.

Interested in how Abnormal can protect your organization from brand impersonation emails and credential phishing attacks? Request a demo to learn more.

Blog blue semi circles
Office 365 and its associated apps (Excel, PowerPoint, Word, and Outlook) are an integral business tool for many organizations. Hackers consistently target the Microsoft accounts of employees, as these accounts are linked to a treasure trove of...
Read More
Blog green surveymonkey
SurveyMonkey is a survey service that is normally used to host legitimate surveys. However, sometimes attackers will utilize file sharing and surveying sites like SurveyMonkey to host redirect links to a phishing webpage. By using these legitimate services...
Read More

Related Posts

Blog engineering cybersecurity careers
Cybersecurity Careers Awareness Week is a great opportunity to explore key careers in information security, particularly as there are an estimated 3.1 million unfilled cybersecurity jobs. This disparity means that cybercriminals are taking advantage of the situation, sending more targeted attacks and seeing greater success each year.
Read More
Blog hiring cybersecurity leaders
As with every equation, there are always two sides and while it can be easy to blame users when they fall victim to scams and attacks, we also need to examine how we build and staff security teams.
Read More
Cover automated ato
With an increase in threat actor attention toward compromising accounts, Abnormal is focused on protecting our customers from this potentially high-profile threat. We are pleased to announce that our new Automated Account Takeover (ATO) Remediation functionality is available.
Read More
Email spoofing cover
Email spoofing is a common form of phishing attack designed to make the recipient believe that the message originates from a trusted source. A spoofed email is more than just a nuisance—it’s a malicious communication that poses a significant security threat.
Read More
Cover cybersecurity month kickoff
It’s time to turn the page on the calendar, and we are finally in October—the one month of the year when the spooky becomes reality. October is a unique juncture in the year as most companies are making the mad dash to year-end...
Read More
Ices announcement cover
Abnormal ICES offers all-in-one email security, delivering a precise approach to combat the full spectrum of email-borne threats. Powered by behavioral AI technology and deeply integrated with Microsoft 365...
Read More
Account takeover cover
Account takeovers are one of the biggest threats facing organizations of all sizes. They happen when cybercriminals gain legitimate login credentials and then use those credentials to send more attacks, acting like the person...
Read More
Blog podcast green cover
Many companies aspire to be customer-centric, but few find a way to operationalize customer-centricity into their team’s culture. As a 3x SaaS startup founder, most recently at Orum, and a veteran of Facebook and Palantir, Ayush Sood...
Read More
Blog attack atlassian cover
Credential phishing links are most commonly sent by email, and they typically lead to a website that is designed to look like common applications—most notably Microsoft Office 365, Google, Amazon, or other well-known...
Read More
Blog podcast purple cover
Working at hyper-growth startups usually means that unreasonable expectations will be thrust on individuals and teams. Demanding timelines, goals, and expectations can lead to high pressure, stress, accountability, and ultimately, extraordinary growth and achievements.
Read More
Blog yellow skyline
No one wants to receive an email from human resources that they aren’t expecting. After all, that usually means bad news. And when we think there may be bad news, cybersecurity training tends to fall by the wayside. Threat actors know this, and they’re taking advantage of human emotions.
Read More
Blog rising building
There is little doubt that business email compromise and other advanced email threats are causing significant damage–both financial and reputational—to organizations worldwide. Because these never-before-seen attacks contain few indicators of compromise, they evade secure email gateways and other traditional email infrastructure...
Read More