Zoom Spoofed in Office 365 Credential Phishing Attack

July 8, 2020

The COVID-19 pandemic has forced employees to work from home, making it harder than ever to secure environments. In this attack, attackers impersonate Zoom in order to steal Microsoft Office 365 credentials of employees—hoping to catch busy employees off-guard.

Summary of the Attack

  • Platform: Office 365
  • Email Security Bypassed: IronPort
  • Payload: Malicious Link
  • Technique: Spoofed Email

Overview of the Office 365 Phishing Attack

Zoom has become an essential tool for remote working at many companies, as employees use it to video conference their colleagues, take part in all-hands meetings, and screen share in meetings. As a result, there has been an increased number of email fraud attacks impersonating this popular video conferencing application.

In this attack, the email is sent from an email address that spoofs the official Zoom email address. It mimics an automated notification from Zoom and claims that the recipient will be unable to utilize the service until they use the link provided in the email to activate their account again.

The email contains a link concealed within the text that redirects to a page hosted on an unrelated domain, which is likely hijacked by the attackers. This link redirects to a fake Microsoft login page hosted on another domain. Though the email impersonates the Zoom brand, the attacker is targeting the recipient's Microsoft credentials, which can be used to access a larger trove of sensitive information.

The attackers attempt to take advantage of busy workers, who need to access Zoom and may not think to check that the URL has been redirected. Should recipients fall victim to this attack, their Microsoft login credentials, as well as any other information stored on those accounts, will be compromised. Once compromised, attackers would have access to existing email conversations, files within Microsoft Teams and Microsoft Sharepoint, as well as the ability to use that account to send additional email attacks targeting the victim's coworkers, partners, and customers.

Why This Attack Bypassed Existing Security

In this attack, the email appears to be sent from the official Zoom email address, giving the email itself an air of legitimacy. The landing page of the attack also looks identical to the Microsoft login page. At first glance, one would be easily fooled by the advanced tactics utilized by the attacker.

Abnormal was able to detect this attack when others couldn't due to the abnormal recipient pattern where all recipients were BCC'ed, as well as the impersonation of such a well-known brand during a time when that brand has seen increased spoofs.

As we work from home, this email serves as a reminder that cybercriminals will take advantage of any situation and employees must be prepared. It's vital to always check the sender, the email content, and the link to ensure that all login requests are legitimate—no matter how convincing the email or the landing page may be.

Interested in how Abnormal can protect your organization from brand impersonation emails and credential phishing attacks? Request a demo to learn more.

Related Posts

Blog customer communications leads to product innovation
Learn how customers have influenced the latest round of product enhancements to better protect your organization from email-borne threats.
Read More
Blog attack detection efficacy cover
Abnormal’s relentless pursuit of innovation significantly improves the detection efficacy of hidden payloads in emails by an additional 5%.
Read More
Blog mnru cover
Estimating both the time and cost to complete a task has been a continual challenge for engineering teams as long as I’ve been working in industry. Coordinating the complex interactions and execution task sequencing across multiple tasks and people is a complex, ever-evolving challenge, and one that most teams struggle with daily.
Read More
Blog what do phishing emails cover
Phishing attacks are on the rise; the FBI reports that such attacks cost $54 billion in 2020, and phishing complaints increased by a whopping 110% from 2019 to 2020. If you're one of the many people targeted by a phishing email, you're not alone.
Read More
Blog holiday scams cover
We've arrived at that time of year—a time for reflection and celebration and spending time with family, and also that time of year where the cyber grinches hope to spoil the holiday fun.
Read More
Log4j email blog cover
Over the last few days, Abnormal has successfully blocked multiple attempts by attackers to deliver emails similar to these to our customers’ unsuspecting end users.
Read More
Blog securitry privacy cover
Customers place tremendous trust in Abnormal to protect them from the full spectrum of attacks when they provide us access to the email stored in Microsoft 365 or Google Workspace. To that end, we’re focused on protecting your data and building your trust.
Read More
Blog podcast role cto
Tim Tully, Partner at Menlo Ventures, grew up in Silicon Valley, where a love for coding was kindled in him. Tim is a technologist to the core, which innately led him to become an elite technical leader at companies like Splunk and Yahoo.
Read More
Blog canadian visa cover
Abnormal Security recently identified a scam aimed at the Canadian electronic travel authorization (eTA) program, which bears a striking resemblance to a long-standing fraud scheme described in our post from several weeks ago targeting TSA travel program applicants.
Read More
Automate abuse mailbox cover
Managing and monitoring an Abuse Mailbox can be a significant pain point for IT security teams, particularly large organizations with thousands of employees.
Read More
Blog calendar invite attack cover
Meeting invites are one of the most common types of emails sent today, so it should come as no surprise that attackers have found a way to manipulate them. Scores of recipients that utilize Abnormal Security recently received emails that contained a .ics attachment—an invitation file commonly used to populate online calendar applications with meeting and event information.
Read More
Blog saving memory python cover
At a hyper-growth startup, a solution from six months ago will unfortunately no longer scale. The business is growing rapidly, and this traffic to this service in particular was growing at an unprecedented rate. We hit a point where it needed re-architecting to support 10x the current scale.
Read More