In this attack, attackers are impersonating a notification from Zoom in order to steal Microsoft Office 365 credentials of employees at organizations targeted for this attack.
Quick Summary of Attack Target
Platform: Office 365
Email Security Bypassed: IronPort
Mailboxes: More than 50,000
Payload: Malicious Link
Technique: Spoofed Email
What was the attack?
- Setup: Zoom has become an essential for remote working at many companies. As a result, there has been an increased number of email fraud attacks impersonating Zoom.
- Email Attack: This email is sent from an email address that spoofs the official Zoom email address. It mimics an automated notification from Zoom, and claims that the recipient will be unable to utilize the service until they use the link provided in the email to activate their account again.
- Payload: The email contains a link concealed within the text that redirects to a page hosted on an unrelated domain (likely hijacked by the attackers). This link redirects to a fake Microsoft login page hosted on another domain. Though the email impersonates the Zoom brand, the attacker is targeting the recipient’s Microsoft credentials, which can be used to access a larger trove of sensitive information.
- Result: Should recipients fall victim to this attack, their Microsoft login credentials as well as any other information stored on those accounts will be compromised.
Why is this attack effective?
- Urgency: The email pretends to be a notification that the recipient’s Zoom account is suspended and that the recipient may not use any of its services. The importance of Zoom as a communications method is essential in a world under the shadow of the COVID-19 pandemic. Thus, the user may rush to correct their account, click on the malicious link, and inadvertently enter credentials on this bad website.
- Spoofed Email and Landing Page: The email appears to be sent from the official Zoom email address, giving the email itself an air of legitimacy. The landing page of the attack also looks identical to the Microsoft login page. At first glance, one would be easily fooled by the advanced tactics utilized by the attacker. However, recipients should always be cautious of any links in emails.