Zooming In: How Abnormal Protects Zoom from Advanced Threats

Zoom has changed the corporate landscape, turning homes into offices, helping distributed teams feel a little bit closer, and enhancing collaboration.

You may assume the worst thing that can happen on Zoom is accidentally being on mute or your camera turning on at an inopportune time. Unfortunately, we regret to inform you that Zoom is becoming another link in the attack chain for threat actors.

This isn’t surprising, especially since collaboration apps are becoming a key security concern for security teams. In fact, as I noted in my previous article on Slack security, recent research from ESG found 89% of organizations report seeing at least one attack on collaboration apps, and 52% have dealt with a multi-channel attack that included apps like Zoom. But we hear from customers that a lack of security visibility into applications like Zoom makes detecting and stopping these threats a significant challenge.

And unlike Slack, where it's relatively easy to identify potential ways that threat actors can exploit the platform—third-party phishing, internal phishing, and account compromise—the tactics an attacker would deploy on Zoom may not be as obvious.

Before I dive into the sci-fi attacks, let’s state the obvious: Zoombombing (when attackers use public links or private links and passwords to access corporate Zoom meetings and cause mayhem) is probably what comes to mind when you think of Zoom attacks.

Pranksters would crash Zoom meetings to derail conversations but not do anything particularly nefarious. And to Zoom’s credit, they doubled down on security and largely squashed this phenomenon.

Beyond Zoombombing, attackers like Lapsus$ would often join Zoom calls to taunt organizations they had infiltrated, but this is also not particularly harmful—the real damage obviously having been done elsewhere.

No, true Zoom threats are stranger and couched in that current hot technology topic: AI and what to do about it. Deepfakes have come to Zoom.

In August 2022, Patrick Hillman, the Chief Communications Officer at cryptocurrency exchange Binance, was sent messages by several clients asking whether it was actually Patrick on a Zoom call.

Of course, it wasn’t him. It was an attacker who was able to use deepfake technology to create an image and voice facsimile that was convincing enough to hold 20-minute scam investment calls with Binance customers.

This is one example, but cybersecurity experts have been warning about these dangers since, coincidentally enough, just before this Binance attack happened. Security researcher, Matthew Canham, spoke at Black Hat in 2022 on this topic, dubbing phishing attacks done via Zoom as “zishing” and warning of an impending increase.

Maybe it sounds far-fetched, but then considering the ethical debates we are currently having on whether Levi’s Jeans should be using AI-generated models for its ads or even how ChatGPT can increase the dangers of traditional email phishing, it’s not that hard to believe.

All it takes is an attacker compromising an executive account or otherwise breaching an organization, joining a Zoom meeting, and deploying a convincing deepfake to scam or steal secrets. Or, and maybe this is just as, if not more plausible, a threat actor joins a company Zoom meeting and sends a malicious URL right in the Zoom chat. Who would expect an attacker in the all-hands meeting after all?

Protecting Zoom from cyberattacks means considering all of the different attack vectors:

• Has there been unusual authentication or session activity for any one user?

• Have any user privileges changed, such as a user elevated to Zoom administrator?

• Have there been any suspicious users or suspicious messages sent during Zoom meetings? Do those messages contain malicious links?

All of these have varying levels of risk, of course, but understanding when these events occur is a critical step in preventing unauthorized Zoom access and potential internal voice or Zoom chat phishing.

To address these three types of risk, Abnormal recently released a suite of email-like security products for Zoom, encompassing messaging security (in this case Zoom chat), account takeover protection, and user posture management. These products use Abnormal’s advanced detection capabilities—informed by data ingested from Zoom, from your corporate email platform, and even from Okta or Azure Active Directory—to detect threats and build comprehensive case files to support in-depth investigation.

For example, if the CEO of an organization initiates a Zoom session in Okta from the CEO’s home office in Manhattan, but suddenly that executive has initiated a session in Tasmania, there is reason to believe that is an attempted impersonation—and Abnormal will surface both of those events in the Account Takeover case file for that user. Beyond this, if the Tasmanian sign-in was associated with any known indicators of compromise, such as a malicious IP address, domain, or other identifier, security teams will be immediately notified of the activity through Email-Like Account Takeover Protection.

If that same user becomes an Admin or even an Owner of the organization’s Zoom platform, Email-Like Security Posture Management will notify Abnormal admins of the change and provide contextual insights and next-step guides to take downstream corrective action. Considering these elevated roles have access to sensitive data such as the Zoom recording library for the company, it is critical to understand these changes.

After these proactive measures, what if that user sends a chat with a malicious link, attempting to execute a Zoom phishing attack? Email-Like Messaging Security can detect that threat and immediately raise a red flag to Abnormal administrators.

Helping organizations protect more and secure the future, begins by staying one step ahead of threat actors when it comes to detecting technologically advanced threats in Zoom. With these new products, we are paving the way—ensuring that our customers stay protected from multi-channel and email-like attacks no matter where they start.