Zoom Spoofed in Office 365 Credential Phishing Attack

July 8, 2020

The COVID-19 pandemic has forced employees to work from home, making it harder than ever to secure environments. In this attack, attackers impersonate Zoom in order to steal Microsoft Office 365 credentials of employees—hoping to catch busy employees off-guard.

Summary of the Attack

  • Platform: Office 365
  • Email Security Bypassed: IronPort
  • Payload: Malicious Link
  • Technique: Spoofed Email

Overview of the Office 365 Phishing Attack

Zoom has become an essential tool for remote working at many companies, as employees use it to video conference their colleagues, take part in all-hands meetings, and screen share in meetings. As a result, there has been an increased number of email fraud attacks impersonating this popular video conferencing application.

In this attack, the email is sent from an email address that spoofs the official Zoom email address. It mimics an automated notification from Zoom and claims that the recipient will be unable to utilize the service until they use the link provided in the email to activate their account again.

The email contains a link concealed within the text that redirects to a page hosted on an unrelated domain, which is likely hijacked by the attackers. This link redirects to a fake Microsoft login page hosted on another domain. Though the email impersonates the Zoom brand, the attacker is targeting the recipient's Microsoft credentials, which can be used to access a larger trove of sensitive information.

The attackers attempt to take advantage of busy workers, who need to access Zoom and may not think to check that the URL has been redirected. Should recipients fall victim to this attack, their Microsoft login credentials, as well as any other information stored on those accounts, will be compromised. Once compromised, attackers would have access to existing email conversations, files within Microsoft Teams and Microsoft Sharepoint, as well as the ability to use that account to send additional email attacks targeting the victim's coworkers, partners, and customers.

Why This Attack Bypassed Existing Security

In this attack, the email appears to be sent from the official Zoom email address, giving the email itself an air of legitimacy. The landing page of the attack also looks identical to the Microsoft login page. At first glance, one would be easily fooled by the advanced tactics utilized by the attacker.

Abnormal was able to detect this attack when others couldn't due to the abnormal recipient pattern where all recipients were BCC'ed, as well as the impersonation of such a well-known brand during a time when that brand has seen increased spoofs.

As we work from home, this email serves as a reminder that cybercriminals will take advantage of any situation and employees must be prepared. It's vital to always check the sender, the email content, and the link to ensure that all login requests are legitimate—no matter how convincing the email or the landing page may be.

Interested in how Abnormal can protect your organization from brand impersonation emails and credential phishing attacks? Request a demo to learn more.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 06 21 22 Threat Intel blog
Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.
Read More
B 06 7 22 Disentangling ML Pipelines Blog
Learn how explicitly modeling dependencies in a machine learning pipeline can vastly reduce its complexity and make it behave like a tower of Legos: easy to change, and hard to break.
Read More
B 04 07 22 SEG
As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?
Read More
Enhanced Remediation Blog Cover
The most effective way to manage spam and graymail is to leverage a cloud-native, API-based architecture to understand identity, behavior, and content patterns.
Read More
B 05 16 22 VP of Recruiting
We are thrilled to announce the addition of Mary Price, our new Vice President of Talent. Mary will support our continued investment in the next generation of talent here at Abnormal.
Read More
B 06 01 22 Stripe Phishing
In this sophisticated credential phishing attack, the threat actor created a duplicate version of Stripe’s entire website.
Read More
B Podcast Engineering9
In episode 9 of Abnormal Engineering Stories, Dan sits down with Mukund Narasimhan to discuss his perspective on productionizing machine learning.
Read More
B 05 31 22 RSA Conference
Attending RSA Conference 2022? So is Abnormal! We’d love to see you at the event.
Read More
B 05 27 22 Active Ransomware Groups
Here’s an in-depth analysis of the 62 most prominent ransomware groups and their activities since January 2020.
Read More
B 05 24 22 ESI Season 1 Recap Blog
The first season of Enterprise Software Innovators (ESI) has come to a close. While the ESI team is hard at work on season two, here’s a recap of some season one highlights.
Read More
B 05 13 22 Hiring Experience
Abnormal Security is committed to offering an exceptional experience for candidates and employees. Hear about our recruiting and onboarding firsthand from three Abnormal employees.
Read More
B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More