Phishing Delivery: Attackers distribute financially themed documents via Zoom Docs, embedding a clickable link that directs victims to a phishing website imitating the Office 365 login page.
Zooming In on Phishing: How Shared Documents Reel You In
Credential Phishing Documents Shared Through Zoom Bypass Traditional SEGs
What is the attack?
Human Verification: The phishing website employs Cloudflare Captcha to ensure that only real users can access the site, providing an added layer of legitimacy for the attack.
Why did it get through?
Verified Source: Email sent from a domain passing sender authentication checks.
Legitimate Hosting: The document was hosted on a legitimate Zoom site, lending it an air of legitimacy.
URL Crawling/Analysis Protection: The added Captcha functionality limits automated link crawling and URL analysis features, increasing the difficulty for automated detection.
What is required to solve for this attack?
Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, and URLs as anomalies that enable the detection of novel attacks.
This pairs well for defense in depth with the Cloud Email Platform (M365’s) Threat Intelligence layer.