Zoom-Themed Phishing Campaign Targets Office 365 CredentialsFraudsters Using Fake Account Alerts to Steal Microsoft Credentials
A recently uncovered phishing campaign is using spoofed Zoom account alerts to steal Microsoft Office 365 credentials, according to a report from security firm Abnormal Security.
Using fake Zoom alerts to help disguise phishing emails comes at a time when use of the cloud-based video conferencing platform is skyrocketing due to work-from-home arrangements. A report following Zoom’s settlement with the New York state attorney general's office over privacy and data security complaints showed that Zoom was supporting approximately 300 million meeting participants each day on its platform at the end of April, compared to about 10 million daily meeting participants in January (see: Zoom's New York Settlement Spells Out Security Moves).
The Abnormal Security report notes that this large-scale reliance on Zoom for corporate communications is driving fraudsters and cybercriminals to use the company's images and logos in phishing emails to give them a look of legitimacy and urgency.
"Zoom as a communications method is essential in a world under the shadow of the COVID-19 pandemic," the researchers note in the report. "Thus, the user may rush to correct their account, click on the malicious link, and inadvertently enter credentials on this bad website."
The researchers note that these Zoom-themed phishing emails have appeared in approximately 50,000 inboxes since the campaign started earlier this year.
Researchers found that fraudsters are sending victims phishing emails mimicking an automated notification from Zoom that spoofs the official Zoom corporate email address. These messages claim that the recipient will not be able to use the video conferencing platform until they click a link embedded in the email to reactivate their account, according to the report.
If the victim clicks on the malicious link embedded in the email, the user is taken to what appeared to be an Office 365 login page but was actually a malicious domain controlled by the fraudsters. The fake login page prompts the targeted victim to input their Office 365 username and password to reset their account, but the credentials are instead harvested by the fraudsters.
"Though the email impersonates the Zoom brand, the attacker is targeting the recipient’s Microsoft credentials, which can be used to access a larger trove of sensitive information," the report notes.
Other phishing campaigns have also taken advantage of the new reliance on collaboration and video conferencing software to create realistic-looking messages that target at-home workers.
In April, researchers found fraudsters using spoofed messages and images from Zoom and Cisco WebEx as lures in phishing campaigns that were designed to steal credentials or distribute malware (see: Cybercriminals Using Zoom, WebEx as Phishing Lures: Report).
Credentials for Office 365 and other Microsoft products are a frequent target of these attacks. This week, a federal court granted Microsoft an injunction to seize several malicious domains that spoofed the company's products and services as part of numerous phishing attempts (see: Microsoft Seizes Domains Used for COVID-19 Phishing Scam).