Abnormal Attack Stories: Zoom Phishing - Abnormal Security

Abnormal Attack Stories: Zoom Phishing

In this attack, attackers are posing as Zoom meeting notifications and asking recipients to join a Zoom meeting regarding their supposed termination. However, recipients must first log into a fake Zoom phishing page that will steal their credentials.

Quick Summary

  • Platform: Office 365
  • # Mailboxes: More than 50,000
  • Email Gateway: MessageLabs
  • Email Security: Office 365
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

What was the attack?

  • Setup: This attack leverages the changing work landscape as employees move to working from home because of COVID-19 shelter-in-place orders. As a result, people are switching to having online meetings through video conferencing software such as Zoom.
  • Email Attack: This attacker impersonates Zoom by crafting a convincing email and landing page that mimics meeting notifications from Zoom. The email masquerades as an automated notification for an important meeting with HR regarding the recipient’s termination. 
  • Payload: The email contains a link to a fake Zoom login page hosted on “zoom-emergency.myftp.org”. Links to the phishing page are hidden in text used in automated meeting notifications such as “Join this Live Meeting”.
  • Result: Should recipients fall victim to this attack, login credentials as well as any other information stored on Zoom will be compromised.

Why is this attack effective?

  • Urgency: The email masquerades as a reminder that the recipient has a meeting with HR regarding their termination. When the victim reads the email they will panic, click on the phishing link, and hurriedly attempt to log into this fake meeting. Instead, their credentials will be stolen by the attacker.
  • Convincing email and landing page: The email looks and is formatted like a legitimate meeting reminder commonly used by Zoom. The landing page is also a carbon copy of the Zoom login page; except the only functionality on the phishing page are the login fields used to steal credentials. Recipients would be hard-pressed to understand that this was, in fact, a site designed specifically to steal their credentials.
  • Familiarity: Frequent Zoom users would look at the login page, think their session has expired, and attempt to sign in again. They would be more likely to input their login credentials without checking the abnormalities in the phishing page such as the URL or non functioning links.

Related content