Credential phishing attack using both Zoom Events and Zoom Docs to deliver a AITM credential phishing payload

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.

EMAIL PROVIDER: Microsoft 365

ATTACK TYPE: Credential Phishing

Over the past few weeks, we’ve seen an increase in the abuse of Zoom for attack delivery. While Zoom bombing was popular a few years back, the expansion of the Zoom platform has given bad actors more tools to abuse. In a recent attack, we saw an attack that used both Zoom Events and Zoom Docs to deliver a AITM credential phishing payload.

(h/t to Recon InfoSec for sharing this sample. Read their blog on Zoom Events phishing.)

This particular attack started with a Zoom Events file upload notification delivered from a valid Zoom address (Zoom Upload <noreply-zoomevents@zoom[.]us>).

If the target clicks Open Attachment, they are taken to a legitimate Zoom Doc at docs.zoom[.]us. This page impersonates a Microsoft Office 365 portal, featuring icons for the most popular tools in the suite. Below the icons is an Open Shared File link that, upon hover over, leads to an office.regencyoutdor[.]com address. The subdomain aligns with imagery on the Zoom Doc page, but the URL is malicious (and features a typo).

The link takes the target to an adversary in the middle (AITM) phishing page replicating a Microsoft login page. A valid Microsoft login page will start with login.microsoft[.]com, this one does not.

At this point, if a user enters credentials, they will be stolen. The page makes every effort to make this process appear legitimate, including responding with login failures for incorrect credentials.

Detection signals

Sublime's AI-powered detection engine prevented this attack. Some of the top signals for this attack were:

  • Suspicious Zoom Events notification: Content in the Zoom Events notification contains credential theft language and links to a file hosting site.
  • Vague language: The notification is about "a new file" doesn’t name the file. There is a complete lack of details about what the file contains or why recipient would need it.
  • Unnamed sender: The notification does not contain any information about the sender that shared the file with the target.

ASA, Sublime’s Autonomous Security Analyst, flagged this email as malicious. Here is ASA’s analysis summary:

Prevent attacks delivered through trusted sites

Living off Trusted Sites (LOTS) attacks are popular because they let bad actors hide behind friendly domains. That’s why the most effective email security platforms are adaptive, using AI and machine learning to shine a spotlight on seemingly minor discrepancies.

If you enjoyed this Attack Spotlight, be sure to check our blog every week for new blogs, subscribe to our RSS feed, or sign up for our monthly newsletter. Our newsletter covers the latest blogs, detections, product updates, and more.

Read more Attack Spotlights:

About the Author

About the Authors

Author headshot

Josh "Soup" Campbell

Detection

Soup is an Email Security Analyst at Sublime. With his background in InfoSec and proud membership of the SecKC community, security is both his profession and his passion. Soup was drawn to security by his need to protect people from threats and scams.

Author headshot

Get the latest

Sublime releases, detections, blogs, events, and more directly to your inbox.

You're now subscribed. Expect a monthly email from us in your inbox.
Oops! Something went wrong while submitting the form.