The IT security researchers at Armorblox have revealed a new phishing attack in which scammers spoofed Zoom users to steal their Microsoft Exchange credentials.
For your information, Microsoft Exchange Server is a mail and calendaring server used by millions of companies worldwide. This makes it a lucrative target for cybercriminals.
Scam Overview
According to cybersecurity firm Armorblox, the email-based attack used a socially engineered payload that easily tricked the Microsoft Exchange email security mechanism. These include Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication Reporting & Conformance.
The email stated that two messages were to be checked on Zoom. The email also contained a malicious link with a call-to-action button. There was another malicious link for the unsubscribe button.
If the recipient clicked the call-to-action button, it opened a fake landing page, designed as a legit Microsoft landing screen. The user is then asked to enter their Microsoft credentials to check the unread Zoom messages.
The phishing email, which was marked as safe by Microsoft, was aimed at 21,000 users of a national healthcare firm.
Why Zoom?
Since COVID-19, Zoom has been a prime target for crooks and threat actors around the world. In this case, the scammers also exploited Zoom’s popularity and brand identity to steal credentials. They replicated the genuine Zoom logo and branding intricacies to create a sense of trust among users.
According to Armorblox’s blog post, the email title/subject line (For on Today, 2022) and design were socially engineered to instill a sense of urgency. The attackers used the user’s actual name in the recipient section.
The threat attackers also utilized a valid domain, which displayed a ‘trustworthy’ reputation score with just one infection reported in the last 12 months. The fake landing page automatically entered the recipient’s email address in the username field to trick them into believing it to be a valid page. If the user fell for this trap, their credentials were quickly captured.
How to Stay Protected?
Armorblox promptly acted and blocked the emails from reaching unsuspecting recipients. However, you must remain vigilant to avoid becoming a phishing scam victim. Always use layered security mechanisms apart from your native email security tools.
Furthermore, closely scrutinize messages rather than immediately responding to messages from unverified sources. Check the sender name, email ID, and the message’s language to find inconsistencies or typo errors.
Lastly, never use one password on multiple sites because if one account is hacked, all others will become vulnerable. Multi-factor authentication is essential to ensure the attacker cannot sign in using hacked credentials.
