By: Cobi Aloia and Anna Pizzitola, Cofense Phishing Defense Center
We’ve all been there — technical mishaps in a Zoom meeting that have you scrambling to rejoin. But what if that connection issue wasn’t real? The Cofense Phishing Defense Center (PDC) recently observed a new phishing campaign in which threat actors are leveraging these exact problems to harvest credentials of users via a Zoom-themed attack. Here’s how it works.
.PNG "Figure1-(8).PNG")
Figure 1: Email Body
The email body, as shown in Figure 1, enforces a sense of urgency several times within the context of the email. The subject line ‘URGENT - Emergency Meeting,’ as well as keywords and phrases such as ‘immediately,’ ‘critical issue,’ ‘as soon as you can,’ ‘time-sensitive,’ and ‘quick presence,’ are all used to exploit and manipulate recipients into acting hastily. Based on research conducted by Cofense’s PDC and PhishMe Security Awareness Training platforms, phishing emails that employ a sense of urgency are amongst the most clicked on by users. This psychological tactic plays on fear, anxiety, and pressure, which often override skepticism or attention to detail, leaving recipients more susceptible to the threat at bay.
Within the email body lies a Zoom hyperlink with a seemingly legitimate URL for the ‘meeting’. This is an additional technique exploited by the threat actor referred to as deceptive hyperlinking or URL masking, where the URL is often visually safe but when clicked, directs you to the true linked URL – often times malicious. In this case, the URL that the user would be sent to is:
hxxps://tracking[.]cirrusinsight[.]com/e39ee0e9-c6e2-4294-8151-db8d9e454e24/one-ebext-in-openurl.
This URL is simply used to track how many users successfully visit the malicious link via the CRM platform, Cirrus Insight. From here, the tracking URL redirects to:
hxxps://one[.]ebext[.]in/openurl?nid=&user_id=&random_id=&thread_id=&from_email=&source=web_ext&url=hxxp%3A%2F%2Fhubs[.]ly/Q037hZCD0, which opens the short link: hxxps://hubs[.]ly/Q037hZCD0, finally redirecting to the landing page as seen in Figure 2: hxxps://pub-51656ae3d0ef4f2ba59cdfc6830c8098[.]r2[.]dev/meeting[.]htm?utm_campaign=8634688-zm-30000&utm_source=ppc.
.PNG "Figure3-(9).PNG")
Figure 2: Fake Zoom Call
When the user clicks the URL in the email, they are directed to what appears to be a legitimate Zoom meeting. A closer look at the URL reveals the aforementioned landing page and not a Zoom URL as it would typically be. The page initially displays a “joining meeting” message, followed by a realistic-looking Zoom interface, as shown in Figure 2. One of the individuals on the fake call even waves, while another reacts with a facial expression, making it appear more realistic. Shortly after this, a “meeting connection timed out” dialog box appears, redirecting the user to a login page where they are prompted to enter their credentials, as shown in Figure 3.
.PNG "Figure2-(8).PNG")
Figure 3: Phishing Page
The phishing page features a Zoom Workplace login that is nearly identical to the legitimate Zoom login form. Depending on the target, as noted in the URL (#targetid=john@doe.com), the email address will be pre-filled with the target or recipient’s email address – further helping play into the deception. From here, the victim just needs to enter their password to ‘rejoin’ the meeting. Unfortunately, instead of ‘rejoining,’ the victim’s credentials along with their IP address, country, and region are exfiltrated via Telegram, a messaging app notorious for ‘secure, encrypted communications,’ and inevitably sent to the threat actor.
This phishing campaign highlights how threat actors are exploiting technical mishaps and urgency to deceive users into giving credentials. By mimicking a legitimate Zoom meeting and prompting users to ‘rejoin’ after a fake connection issue, attackers effectively bypass skepticism. The use of realistic visuals, deceptive URLs, and pre-filled login fields creates a convincing illusion, leading victims to unknowingly expose their information. As Zoom credentials are often tied to employee logins, this attack opens the door for lateral movement and potential Advanced Persistent Threats (APTs) within an organization. At Cofense, we combine phishing detection, rapid remediation, and real-time training in one expert-supervised platform to strengthen what your existing defenses miss.
Stage 1 - Observed Email Infection URL: | Infection URL IP(s): |
hXXps://tracking[.]cirrusinsight[.]com/e39ee0e9-c6e2-4294-8151-db8d9e454e24/one-ebext-in-openurl
| 18.209.207.253 |
Stage 2 - Observed Payload URL(s): | Payload IP(s): |
hXXps://api[.]telegram[.]org/bot7643846141:AAH3xkttszS0hQgqj7PaS_f7XetLz-_DTQc/sendMessage
| 149.154.167.220
|
hXXps://one[.]ebext[.]in/openurl?nid=&user_id=&random_id=&thread_id=&from_email=&source=web_ext&url=hxxp%3A%2F%2Fhubs[.]ly/Q037hZCD0
| 172.67.193.64 104.21.92.123
|
hXXps[://]hubs[.]ly/Q037hZCD0
| 104.16.6.207 104.16.7.207 104.16.9.207 104.16.8.207 104.16.5.207
|
hXXps://pub-51656ae3d0ef4f2ba59cdfc6830c8098[.]r2[.]dev/meeting[.]htm
| 172.66.0.235 162.159.140.237 |
All third-party trademarks referenced by Cofense, whether in logo form, name form, or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of endpoint protections are based on observations at a point in time, based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.