With Zoom becoming one of the most prevalent tools for businesses to connect via video conferencing, attackers seized the opportunity to target users with a malicious phishing scam. In today’s Blox Tale, we will look at an account takeover attack with the goal of stealing victims’ Microsoft Teams account credentials.
The email attack had a social engineered payload, attempting to spoof the email address and replicate the subject line of a legitimate email from Zoom. In the below email, we see the sender spoofed the Zoom email address (Zoom Communications Inc) and included similar words as authorized Zoom emails in the subject line: “[EXTERNAL]Zoom meetings 11:00 AM Eastern Time [US and Canada]”.
Fig 1. Socially engineered email mimics typical workflow to start a Zoom meeting
The email took advantage of the end users’ natural instinct (in any Zoom call) to start the meeting. When the user clicked on the link to start the meeting they fell into the trap of the malicious attack and were navigated to a landing page that mimics a Microsoft Outlook login screen.
The email attack bypassed native Microsoft email security controls. Microsoft assigned a Spam Confidence Level (SCL) of ‘-1’ to the emails; meaning the emails skipped spam filtering because Microsoft determined they were from a safe sender, to a safe recipient or were from an email source server on the IP Allow List.
Target: A major online mortgage brokerage company located in North America
Email security bypassed: Microsoft email security
Techniques used: Social engineering, brand impersonation, replicating existing business workflows
Fig 2: Armorblox stopped Microsoft Outlook phishing attack to steal account credentials
The email was titled “[External]Zoom Meetings 11:00 AM Eastern Time [US and Canada]” and the body contained the message, “Your participants have joined you in a meeting”. The tactic aimed to create a sense of urgency and force a lapse in concentration of the end user. The attacker’s goal was for the end user to click the “Start Meeting” link by making them think they were late for a meeting and participants were waiting.
The email was sent from a legitimate domain and was not flagged as malicious by the Microsoft email security product, due to the assigned Spam Confidence Level (SCL) of ‘-1’.
Fig 3: Social engineering combined with workflow spoofing to steal credentials
The ubiquitous adoption of Zoom as the preferred tool for remote collaboration was used by the malicious actor to socially engineer an email as a trusted sender. The specific call to action (CTA), “Start Meeting”, was strategically used due to it being a common business workflow carried out every day. The CTA’s malicious URL linked to a spoofed Outlook login page which prompted the user to enter their credentials (as seen in Fig 4 below).
Fig 4: Clicking the email link leads to a spoofed Microsoft Outlook login page
This socially engineered attack preyed on the victim’s anxiety to comply with a common daily business workflow - start a zoom meeting. The malicious landing page asked the victims to enter their email address and password of what looked like a legitimate Outlook login page.
Recap of Techniques Used
This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.
- Social engineering: The email title, sender name and content aimed to induce trust and urgency in the victims - trust because the email claimed to come from a legitimate company, Zoom, and a sense of urgency because it claimed the victim was late to starting a meeting. The email included the victim’s name in the title as well, further adding a sophisticated nature to the targeted attack.
- Brand Impersonation: The email spoofed the company, Zoom, as the attacker took advantage of the prevalence of online collaboration and familiarity victims have with the impersonated brand. The email contained information about a meeting that needs to be started; scammers created a sense of urgency around starting the meeting in hopes victims didn’t think twice about the email’s legitimacy.
- Form factor of devices: The email was sent from an account belonging to a Signmarep. A quick scan of the domain address would have alerted the user of fraudulent activity; unfortunately, a high percentage of the emails are read on mobile devices where the form factor does not allow the full display of domain names.
- Using day to day business workflow: The email used the guise of Zoom meeting to extract account credentials. The context for the email attack replicated workflows that already exist in our daily lives. As an everyday Zoom user, it is habitual to click on “Start Meeting”. When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action.
Guidance and Recommendations
1. Augment native email security with additional controls
The email attack highlighted in this blog got past Microsoft email security. For better protection against email attacks (whether they’re spear phishing, business email compromise or credential phishing attacks like this one), organizations should augment built-in email security with layers, like Armorblox, that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021 and is a good starting point for evaluation.
2. Watch out for social engineering cues
Since we receive an abundance of emails from service providers, our brains have been trained to quickly execute on the requested actions. It’s best to engage with these emails in a rational and methodical manner whenever possible – easier said than done, we know! A best practice is to perform an ‘eye test’ on the email received that includes inspecting the sender name, email address, language within the email and any logical inconsistencies within the email.
3. Follow MFA and password management best practices
Deploy multi-factor authentication (MFA) on business and personal accounts where possible and don’t use the same password on multiple sites/accounts. Use a password management software like LastPass or 1Password to store your account passwords and avoid using passwords that tie into your publicly available information (date of birth, anniversary date) or generic passwords such as ‘password123’ or ‘YourName123’.
3. Enhance Employee training and awareness
Teach employees to look for visible warning signs – poorly written emails, wrong signature lines and incorrect email addresses.