Phishing attack spoofs Zoom to steal Microsoft user credentials

Targeting more than 21,000 users, the phishing email managed to bypass Microsoft Exchange email security, says Armorblox.

Image: ronstik/Adobe Stock

Phishing attacks work by impersonating a familiar or trusted brand, product or company, often with the goal of tricking recipients into divulging sensitive account credentials. That’s exactly the case with a recent phishing campaign analyzed by security firm Armorblox in which the attacker spoofed Zoom in an attempt to compromise Microsoft user credentials.

How the attack worked

Aimed at more than 21,000 users at a national healthcare company, the phishing email included a subject line of “For [name of recipient] on Today, 2022” with each user’s actual name listed as the recipient. Displaying the Zoom name and logo, the email itself claimed that the person had two messages waiting for their response. To read the alleged messages, the recipient had to click on a main button in the body of the message.

The main button would have taken users to a phony landing page spoofing a Microsoft login site. At the site, the victims were instructed to enter their Microsoft account password supposedly to verify their identity before they could access the messages. The landing page already populated the username field with the person’s actual email address to further lull them into a sense of security. Naturally, any Microsoft passwords entered at the page would then be captured by the attackers.

SEE: Mobile device security policy (TechRepublic Premium)

Sent from a valid domain, the initial phishing email evaded Microsoft Exchange email security controls as it was able to pass the usual email authentication checks, including DomainKeys Identified Mail, Sender Policy Framework, and Domain-based Message Authentication Reporting and Conformance. Instead, the emails were blocked from reaching user inboxes by Armorblox security.

Why the attack was so convincing

This particular campaign used a variety of tricks to try to convince unsuspecting users of its legitimacy. The first tactic is social engineering. By claiming that two messages were waiting for a response, the email attempts to arouse curiosity and urgency on the part of the recipient. The next trick is impersonation. By spoofing a well-known brand such as Zoom and exploiting Microsoft as the linchpin for accessing the waiting messages, the campaign capitalizes on familiarity and trust.

By sending the email from a legitimate and trusted domain, the attackers took every effort to bypass security defenses. Further, the email was written in such a way as to not trigger any red flags, either with email security tools or with an unsuspecting recipient.

How to protect your organization from phishing

To help you protect your organization and employees from these types of phishing attackers, Armorblox offers the following recommendations:

Supplement your native email security with additional tools

The email described in the report snuck past Microsoft security defenses, a sign that you need to supplement your native email security with stronger and more layered tools. To find the right product, consult Gartner’s Market Guide for Email Security and Armorblox’s 2022 Email Security Threat Report.

Look out for social engineering ploys

With an influx of email crowding their inboxes, people often forget to scrutinize messages more closely. Instead of immediately acting on or responding to a message, users need to take the time to check key elements, including the sender name, sender email address and the language in the message. The goal is to look for any typos, errors or inconsistencies that seem suspicious.

Adopt proper password hygiene

Avoid using the same password on multiple sites as one compromised account can help attackers breach other accounts with the same credentials. To prevent password reuse and still rely on strong and complex passwords, your best bet is to turn to a password manager.

Use multi-factor authentication

Requiring MFA is one of the best ways to ensure that an attacker won’t be able to sign in using compromised account credentials.

Source link

Leave a Comment