Zoom Spoofed in Office 365 Credential Phishing Attack

July 8, 2020

The COVID-19 pandemic has forced employees to work from home, making it harder than ever to secure environments. In this attack, attackers impersonate Zoom in order to steal Microsoft Office 365 credentials of employees—hoping to catch busy employees off-guard.

Summary of the Attack

  • Platform: Office 365
  • Email Security Bypassed: IronPort
  • Payload: Malicious Link
  • Technique: Spoofed Email

Overview of the Office 365 Phishing Attack

Zoom has become an essential tool for remote working at many companies, as employees use it to video conference their colleagues, take part in all-hands meetings, and screen share in meetings. As a result, there has been an increased number of email fraud attacks impersonating this popular video conferencing application.

In this attack, the email is sent from an email address that spoofs the official Zoom email address. It mimics an automated notification from Zoom and claims that the recipient will be unable to utilize the service until they use the link provided in the email to activate their account again.

The email contains a link concealed within the text that redirects to a page hosted on an unrelated domain, which is likely hijacked by the attackers. This link redirects to a fake Microsoft login page hosted on another domain. Though the email impersonates the Zoom brand, the attacker is targeting the recipient's Microsoft credentials, which can be used to access a larger trove of sensitive information.

The attackers attempt to take advantage of busy workers, who need to access Zoom and may not think to check that the URL has been redirected. Should recipients fall victim to this attack, their Microsoft login credentials, as well as any other information stored on those accounts, will be compromised. Once compromised, attackers would have access to existing email conversations, files within Microsoft Teams and Microsoft Sharepoint, as well as the ability to use that account to send additional email attacks targeting the victim's coworkers, partners, and customers.

Why This Attack Bypassed Existing Security

In this attack, the email appears to be sent from the official Zoom email address, giving the email itself an air of legitimacy. The landing page of the attack also looks identical to the Microsoft login page. At first glance, one would be easily fooled by the advanced tactics utilized by the attacker.

Abnormal was able to detect this attack when others couldn't due to the abnormal recipient pattern where all recipients were BCC'ed, as well as the impersonation of such a well-known brand during a time when that brand has seen increased spoofs.

As we work from home, this email serves as a reminder that cybercriminals will take advantage of any situation and employees must be prepared. It's vital to always check the sender, the email content, and the link to ensure that all login requests are legitimate—no matter how convincing the email or the landing page may be.

Interested in how Abnormal can protect your organization from brand impersonation emails and credential phishing attacks? Request a demo to learn more.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 1500x1500 Modern Email Attacks Webinar Series L4 R2
Our Modern Email Attacks series has wrapped! Here are some of the biggest takeaways from Chris Krebs, Troy Hunt, and Theresa Payton.
Read More
B 1500x1500 Gartner Insights L1 R1
See our commitment to providing our customers with the best possible solution and support with these reviews from Gartner® Peer Insights™.
Read More
B 11 14 22 SPM Launch Blog Graphics
Security Posture Management gives organizations insight into cloud configuration risks and gaps across user and app privileges.
Read More
B 11 14 22 SPM Launch Blog 2
Cloud email platforms enable better collaboration, but they also create new entry points, making sensitive data more accessible to attackers.
Read More
B 1500x1500 Q3 Ransomeware L1 R2
This post explores the continuation of the sharp decline in ransomware attacks as well as a few other notable data points from Q3 2022.
Read More
B 10 05 22 Cloud Email Security Platform Essentials
Learn the 7 key capabilities a cloud email security platform should have in order to address and resolve common email security challenges.
Read More
B 11 07 22 Valimail
Discover the benefits of a modern, best-of-breed solution to email security with Abnormal Security and Valimail’s New Partnership.
Read More
B 11 07 22 Vision 23 Blog
Discover the latest trends in cybersecurity as we look toward the email threats of the future in partnership with SecureWorld.
Read More
B 1500x1500 Crimson Kingsnake L2 R1
Uncovering how threat group Crimson Kingsnake uses third-party impersonation tactics to swindle organizations across the world.
Read More