Artificial Intelligence

Account Takeover

Attack Stories

Business Email Compromise

CISO Insights

Company & Culture

Credential Phishing

Customer Stories

Data & Trends

Email Platform Attacks

Engineering

Graymail

Product

Security Solutions

Thought Leadership

Threat Intel

Vendor Email Compromise

Demo

Schedule a Demo

B Gartner MQ 2024 Announcement Blog

Author Lane Billings

Lane Billings

Abnormal Security was named a Leader in the 2024 Gartner Magic Quadrant for Email Security Platforms and positioned furthest for Completeness of Vision.

Abnormal Security Named as a Leader in the 2024 Gartner® Magic Quadrant™ for Email Security Platforms

ABN Innovate Blog 4 L1 R1

1669157072577

Jade Hill

Did you miss Innovate 2025? Check out our major key takeaways from the conference, where we dive into how AI is transforming cyber threats, and cybersecurity, today.

How AI is Changing Cybersecurity: 4 Key Takeaways from Innovate 2025

B SOC Traits

MICK HEADSHOT

Mick Leach

Discover the traits and mindsets that define top SOC analysts, as explored in Season 1 of SOC Unlocked.

Uncovering the Ideal Traits of a SOC Analyst: Lessons from SOC Unlocked

B Ghost GPT Blog

Author abnormal security

Abnormal Security

Cybercriminals use GhostGPT, an uncensored AI chatbot, for malware creation, BEC scams, and more. Learn about the risks and how AI fights back.

How GhostGPT Empowers Cybercriminals with Uncensored AI

Email Subscribe

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Homepage

Breadcrumbs

Abnormal Security provides advanced email security to prevent credential phishing, business email compromise, account takeover, and more.

Learn about the latest cybercrime attack types and email security data trends and discover the latest product and company announcements from Abnormal.

Email Security Blog

description

cybersecurity, insight, news, team, latest, experts

keywords

https://images.abnormalsecurity.com/production/images/blog/L_Abnormal-homepage_Opengraph.png?w=1200&h=630&q=82&auto=format&fit=crop&dm=1715015450&s=d0e63c7617aeb482fe402a875355f870

referrer

robots

twitter:card

twitter:creator

twitter:description

https://images.abnormalsecurity.com/production/images/blog/T_Abnormal-homepage_Opengraph.png?w=800&h=418&q=82&auto=format&fit=crop&dm=1715015481&s=1a9aca2bbb876be7aa744cc1fd8533f6

twitter:image

twitter:image:alt

twitter:image:height

twitter:image:width

twitter:site

twitter:title

{"title":{"title":"Email Security Blog | Abnormal"}}

Keep up with the latest news in cybersecurity with insight from our team of experts.

Abnormal Blog

Abnormal Named a Leader in Gartner® Magic Quadrant™

vs Mimecast

vs Avanan

Secondary CTA

Whether FormComplete is utilized on a form

FormComplete

CTA Display

What text is displayed on the primary CTA (see sheet for details on copy)

Primary CTA Text

Form Columns

chakra-ui-ChakraProvider

Button

Footer

FramerWrapper

Container

DemoBlade

Screen

PrimaryCtaText

FormColumns

CtaDisplay

VsMimecast

SecondaryCta

VsAvanan

Abnormal Solutions

react-awesome-reveal

lottie-react

plasmic-nav

react-scroll-parallax-global

plasmic-embed-css

Abnormal Pages

loading-boundary

plasmic-query

plasmic-basic-components

Abnormal Legal

Abnormal Why Abnormal

Abnormal Landing Pages

plasmic-rich-components

Abnormal Partners

Abnormal Products

Abnormal Design System

Abnormal Marketing

antd5 hostless

react-slick

react-quill

Blog orange purple building

The work landscape is changing as employees move to working remotely because of COVID-19 shelter-in-place orders. As a result, people are switching from in-person meetings to online video conferencing software such as Zoom.
In this attack, attackers pose as a Zoom meeting notification, asking recipients to join a Zoom meeting regarding their performance review and potential termination.
<h2>Summary of Attack Target</h2>
<ul><li>Platform: Office 365</li><li>Email Gateway: MessageLabs</li><li>Victims: Employees</li><li>Payload: Malicious Link</li><li>Technique: Impersonation</li></ul>
<h2>Overview of the Zoom Impersonation Attack</h2>
This attacker impersonates Zoom by crafting a convincing email and landing page that mimics meeting notifications from Zoom. The email masquerades as an automated notification for an important meeting with HR regarding the recipient’s performance review and termination.
<figure><img src="https://images.abnormalsecurity.com/production/images/blog/zoom-hr-email.png?w=1628&h=1278&auto=compress%2Cformat&fit=crop&dm=1675097564&s=b29394c6a81dcd51bf40fb366ae22752" alt="" /></figure>
The email contains a link to a fake Zoom login page hosted on “zoom-emergency.myftp.org," which asks for the user's Zoom login credentials. 
<figure><img src="https://images.abnormalsecurity.com/production/images/blog/zoom-hr-landing.png?w=1987&h=1146&auto=compress%2Cformat&fit=crop&dm=1675097564&s=12dc9a51ee0b513db7f27ffda67346b4" alt="" /></figure>
Should recipients fall victim to this attack, their login credentials and any other information stored on Zoom will be compromised. Additionally, ttackers are likely hoping that these credentials are reused across sites so they can use them to access Office 365 and other, more valuable applications.
<h2>Why the Zoom Impersonation Attack is Effective</h2>
This email masquerades as a reminder that the recipient has a meeting with HR regarding their termination. When the victim reads the email they will panic, click on the phishing link, and hurriedly attempt to log into this fake meeting. Instead, their credentials will be stolen by the attacker. In addition to relying on urgency, the email looks and is formatted like a legitimate meeting reminder commonly used by Zoom. The landing page is also a carbon copy of the Zoom login page; except the only functionality on the phishing page is that the login fields are used to steal credentials. Recipients would be hard-pressed to understand that this was, in fact, a site designed specifically to steal their credentials. 
<figure><img src="https://images.abnormalsecurity.com/production/images/blog/zoom-hr-analysis.png?w=1778&h=888&auto=compress%2Cformat&fit=crop&dm=1675097564&s=4ffaefee923f788e760fbfb502d70026" alt="" /></figure>
Abnormal detected this attack due to the suspicious sender email and the suspicious link. Combined, these two elements show that the email is malicious and the platform blocks it before it causes panic among end users, who may all believe that they are being terminated.
To learn how to stop brand impersonation and credential phishing emails from harming your organization, <a href="https://abnormalsecurity.com/demo?PS=organic%20website">request a demo</a> of the Abnormal platform today.

The work landscape is changing as employees move to working remotely because of COVID-19 shelter-in-place orders. As a result, people are switching from in-person meetings to online video conferencing software such as Zoom. In this attack, attackers pose as a...

HR Termination on Zoom Leads to Credential Theft

Abnormal Blog

Get AI Protection for Your Human Interactions