A blog released today details a credential phishing attack impersonating Zoom.
Credential theft in the name of Zoom.
Armorblox released a blog today detailing a credential phishing attack impersonating Zoom. Researchers report that the attack had a socially engineered payload that bypassed Microsoft Exchange email security, and targeted over 21,000 users before Armorblox stopped the attack.
How it worked.
The phishing email said that there were two unread messages to be checked on Zoom, with a malicious link for the call-to-action button, as well as a malicious link for the unsubscribe button. The call-to-action button, if clicked, would lead to a fake landing page that appeared to be a Microsoft landing screen. Victims were prompted to enter their Microsoft account credentials to “view the messages.”
The attack leveraged a well-known brand’s identity in order to harvest credentials, utilizing Zoom’s legitimate logos and branding to instill a sense of trust. The hackers also used social engineering such as the email, title, and design to induce a sense of urgency. The attack bypassed all Microsoft Exchange email security measures, and used a valid domain that received a reputation score of “trustworthy” with only one infection reported in the past 12 months.
Recommendations.
Armorblox provides guidance for prevention of these attacks. They recommend augmenting email security with additional controls, being wary of social engineering cues, and deploying and using multi-factor authentication and password managers.