Zoom Phish Zooming Through Inboxes Amid Pandemic

Share Now


[vc_row][vc_column animation_iteration=”1″][mvc_infobox info_style=”mega_info_box_2″ info_opt=”show_icon” icon_size=”35″ icon_height=”75″ icon_radius=”15px” border_width=”2″ title_color=”#cd202c” font_icon=”fa fa-exclamation-triangle” icon_color=”#cd202c” border_clr=”#dd3333″ info_title=”Phishes Found in Environments Protected by SEGs” title_size=”25″ css=”.vc_custom_1591818035464{margin-top: 20px !important;margin-bottom: 30px !important;}” hoverclr=”#cd202c” icon_bg=”#ffffff” hoverbg=”#ffffff”]

Microsoft ATP
Microsoft EOP
Cisco IronPort

[/mvc_infobox][/vc_column][/vc_row][vc_row][vc_column][vc_column_text c_id=”.vc_1591817161076″]By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that acts as a Zoom video conference invitation to obtain Microsoft credentials from users.

As noted in numerous other articles posted by Cofense, it is no secret this pandemic has changed the threat landscape. From emails to employees regarding safety guidelines to the latest news from the WHO or CDC on Coronavirus cases in the area- threat actors have done it all to make the most of this situation, especially targeting remote workers. Within that group of remote workers there are users who are unfamiliar with teleconferencing and the emails that come with using the service. Some users may not have the best home office set up and work on monitors that barely afford them a proper view, making it difficult to look over these emails closely. The attack covered below is specifically aimed toward those users.[/vc_column_text][vc_single_image image=”21027″ img_size=”large” alignment=”center” onclick=”link_image”][vc_column_text c_id=”.vc_1591821137618″]

Figure 1– Email Bodies

For this attack, users are informed of an invite to a video conference from what appears to be “Zoom Video Communications” which is followed by either as noted in Figures 1-2. For now, this all appears to be in order, however looking more closely at the senders, there are barely noticeable typos- communcations missing an ‘i’, confrence missing an ‘e’. While this may seem like just an innocuous mistake, it’s in fact a carefully crafted scheme.

Mere hours before sending this email, the threat actors registered the domains zoomcommuncations.com and zoomvideoconfrence.com, as noted in s 3-4.[/vc_column_text][vc_single_image image=”21028″ img_size=”large” alignment=”center” onclick=”link_image”][vc_single_image image=”21032″ img_size=”large” alignment=”center” onclick=”link_image”][vc_column_text c_id=”.vc_1591821184001″]

Figure 2-3: Email Body

When visiting either domain, it may appear to be a German site speaking on different Lasik treatments and surgery options. However, this is merely a cover for its true purpose of helping send malicious emails while impersonating teleconferencing giant Zoom.

The email itself is reminiscent of a legitimate Zoom communication- the blue Zoom logo, a vague mention of a video conference for users to join and a link for them to review said invitation; it’s inconspicuous enough and mostly free of the grammatical mistakes phish often contain.

Hovering over the “Review Invitation” the link shown is:


For this attack, the threat actor used a redirector link from Smore, a newsletter creation and distribution website. This is not the first time threat actors have used a legitimate online service’s personal redirect links to pilot users to malicious sites. In this case, this redirect link, once clicked, navigates users to:


Which then redirects to the final page:


For this attack, the threat actor has utilized Microsoft’s Azure is used to host the phishing domain, but this is not a new tactic. Threat actors flock to these domain hosting services due to some of the perks it offers. For this service, a free SSL certificate comes with any website hosted through it which adds a padlock next to the URL in the address bar, most people incorrectly assumes this indicates a site is legitimate. Another benefit of Azure is the customization option for the subdomain, allowing a URL to mimic or at least appear as a legitimate URL for the service attacks are attempting to impersonate. In this case, the subdomain is “logonmicrosftonlinezoomconference”, with all the keywords most users would expect to see in a Zoom email that goes to a Microsoft login page: “logon microsoft” and “zoom conference”. With both a padlock in the address bar along with relevant names displayed, this attack becomes less noticeable to most users.[/vc_column_text][vc_single_image image=”21029″ img_size=”large” alignment=”center” onclick=”link_image”][vc_column_text c_id=”.vc_1591821539482″]

Figure 4: Phishing Page

Figure 5 shows the phishing page users are presented with should they make it this far. The page is a generic Microsoft phish with an accompanying URL which, once again, seems to legitimize the phish to users.

The request is simple: “Sign in to Zoom with your Microsoft 365 account.” At face value, this seems like a completely reasonable use of credentials. And since Zoom allows for users to login in via SSO and most companies have linked Microsoft credentials to the platform, some users may even be familiar with Microsoft helping to access their Zoom account.

Meanwhile, with the user’s email appended in the URL, it in turn pre-populates the username field with that information, leaving only the password left for the user to provide.[/vc_column_text][vc_single_image image=”21030″ img_size=”large” alignment=”center” onclick=”link_image”][vc_single_image image=”21031″ img_size=”large” alignment=”center” onclick=”link_image”][vc_column_text c_id=”.vc_1591817561729″]

Network IOC  IP 
hxxps://r[.]smore[.]com/c?u=pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44?e5=REDACTED[@]company.com 52[.]27[.]29[.]106
hXXp://www[.]pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44 209[.]159[.]154[.]74
hXXps://logonmicrosftonlinezoomconference[.]azureedge[.]net/ 13[.]107[.]246[.]10
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.


Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on wpml.org as a development site.