Fake Zoom notifications used to steal Office 365 credentials

News by Rene Millman

Hackers use spoofed video conferencing messages to steal Office 365 credentials as part of a ransomware campaign.

Fake Zoom notifications are being used by cybercriminals to target Office 365 users in a new phishing campaign to steal credentials.

According to researchers at Abnormal Security, Microsoft Office 365 users in corporate environments are the focus of the operation. In a blog post, victims are told that Zoom accounts have been suspended.

The victims receive an email is sent from an email address that spoofs the official Zoom email address. It mimics an automated notification from Zoom and claims that the recipient will be unable to use the service until they use the link provided in the email to activate their account again.

The email contains a link concealed within the text that redirects to a page hosted on an unrelated domain (likely hijacked by the attackers). This link redirects to a fake Microsoft login page hosted on another domain. Though the email impersonates the Zoom brand, the attacker is targeting the recipient’s Microsoft credentials, which can be used to access a larger trove of sensitive information.

“Should recipients fall victim to this attack, their Microsoft login credentials as well as any other information stored on those accounts will be compromised,” said researchers.

So far, the phishing campaign impersonating automated Zoom account suspension alerts has landed in over 50,000 mailboxes based on stats provided by researchers.

Those targeted by this campaign are a lot more willing to trust such emails during this time since the number of remote workers taking part in daily online meetings through video conferencing platforms such as Zoom has drastically increased due to stay-at-home orders or lockdowns caused by the pandemic.

James McQuiggan, Security Awareness Advocate at KnowBe4, told SC Media UK that cybercriminals are shifting their focus away from an email containing information about package deliveries or airline tickets to now fake calendar invites.

“This attack vector provides cyber criminals with another method to steal user credentials to either sell or leverage them to gain access to an organisation for additional reconnaissance or exploitation,” he said.

He added that using the human nature of fear of missing out, the meeting invite or expiration of the account email incites the end-user to click the link to avoid missing a meeting or losing privileges to their connection to the outside world. “With the current pandemic, most remote employees find the Zoom meeting and meeting invites as a way to feed their human socialisation needs,” said McQuiggan.

Chad Anderson, senior security researcher at DomainTools, told SC Media UK that thanks to advancing knowledge in cybersecurity, most workplaces do a great job of protecting employees from phishing attacks.

“However, as much as we advance, so do cybercriminals. As we up our game, so do they. And in order to get around our more robust gateways, they build more creative and targeted attacks—finding any threat vector they can to get inside,” he said.

“In this case, the exponential increase in the adoption of Zoom during the lockdown made it a very appealing target to impersonate, as it allows criminals to cast a wide net of potential victims. Furthermore, as most people need to be able to log into their Zoom as part of their day to day work, an email saying the account has been suspended creates an understandable sense of urgency.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews