HR Termination on Zoom Leads to Credential Theft

April 21, 2020

The work landscape is changing as employees move to working remotely because of COVID-19 shelter-in-place orders. As a result, people are switching from in-person meetings to online video conferencing software such as Zoom.

In this attack, attackers pose as a Zoom meeting notification, asking recipients to join a Zoom meeting regarding their performance review and potential termination.

Summary of Attack Target

  • Platform: Office 365
  • Email Gateway: MessageLabs
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

Overview of the Zoom Impersonation Attack

This attacker impersonates Zoom by crafting a convincing email and landing page that mimics meeting notifications from Zoom. The email masquerades as an automated notification for an important meeting with HR regarding the recipient’s performance review and termination.

The email contains a link to a fake Zoom login page hosted on “zoom-emergency.myftp.org," which asks for the user's Zoom login credentials.

Should recipients fall victim to this attack, their login credentials and any other information stored on Zoom will be compromised. Additionally, ttackers are likely hoping that these credentials are reused across sites so they can use them to access Office 365 and other, more valuable applications.

Why the Zoom Impersonation Attack is Effective

This email masquerades as a reminder that the recipient has a meeting with HR regarding their termination. When the victim reads the email they will panic, click on the phishing link, and hurriedly attempt to log into this fake meeting. Instead, their credentials will be stolen by the attacker. In addition to relying on urgency, the email looks and is formatted like a legitimate meeting reminder commonly used by Zoom. The landing page is also a carbon copy of the Zoom login page; except the only functionality on the phishing page is that the login fields are used to steal credentials. Recipients would be hard-pressed to understand that this was, in fact, a site designed specifically to steal their credentials.

Abnormal detected this attack due to the suspicious sender email and the suspicious link. Combined, these two elements show that the email is malicious and the platform blocks it before it causes panic among end users, who may all believe that they are being terminated.

To learn how to stop brand impersonation and credential phishing emails from harming your organization, request a demo of the Abnormal platform today.

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

0
Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 10 3 22 Cobalt Terrapin Blog
Threat group Cobalt Terrapin uses sophisticated impersonation techniques with multiple steps to commit invoice fraud.
Read More
B 09 29 22 CISO Cybersecurity Awareness Month
October is here, which means Cybersecurity Awareness Month is officially in full swing! These five tips can help security leaders take full advantage of the month.
Read More
B Email Security Challenges Blog 09 26 22
Understanding common email security challenges caused by your legacy technology will help you determine the best solution to improve your security posture.
Read More
B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More