Attackers impersonating Zoom to steal Microsoft user credentials

Most of the employees have been using one or the other online platforms to organize meetings. Threat actors are aware of these meetings and exploit these spaces every chance they get. A recent attack involved the use of social engineering to mimic an email invite to a Zoom meeting. The attack tricked 10,000 users into clicking on a malicious link.

Ten thousand users working in a major online brokerage company in North America were targeted by malicious hackers who used social engineering and brand impersonation techniques to gain the users’ trust and urged them to act swiftly. This gave users little time to think about the email and fall victim to the attack.

Users were redirected to a spoofed Outlook login page after clicking on the link. This login page asked for the users’ credentials, thereby luring them into entering their account emails and passwords.

As per the report’s details, users noted that clicking on a ‘Start Meeting’ button is a routine habit for them. Since the email contents followed a very familiar format, their brains did what they were programmed to do and acted quickly.

Phishing emails can be pretty easy to identify because they come with grammatical errors and links that do not lead to the websites they state. Moreover, phishing emails follow a format that resembles the original senders. Most times, simply hovering your computer mouse over a listed link can prevent you from a cyberattack.

Aimed at more than 21,000 users at a national healthcare company, the phishing email included a subject line of “For [name of recipient] on Today, 2022” with each user’s actual name listed as the recipient.

Displaying the Zoom name and logo, the email itself claimed that the person had two messages waiting for their response. To read the alleged messages, the recipient had to click on a main button in the body of the message.

The main button would have taken users to a phony landing page spoofing a Microsoft login site. At the site, the victims were instructed to enter their Microsoft account password supposedly to verify their identity before they could access the messages.

The landing page already populated the username field with the person’s actual email address to further lull them into a sense of security. Naturally, any Microsoft passwords entered at the page would then be captured by the attackers.

Dr. Deepak Kumar Sahu, President & CEO, VARINDIA