Threat Research | 7 min read

Zoom: 1 Phish, 2 Phish Email Attack


Lauryn Cash
Lauryn Cash

This blog examines a credential phishing attack, which impersonated the brand Zoom. The email attack looked like a notification email from Zoom, urging victims to follow a link that redirected to a malicious landing page that exfiltrated sensitive PII information.

Zoom branding present on mobile phone screen

In today’s Blox Tale, we will look at a credential phishing attack that spoofed the brand Zoom in order to steal victims’ Microsoft user credentials.

The email attack had a socially engineered payload, bypassed Microsoft Exchange email security, and would have been delivered to over 21,000 users if Armorblox had not successfully stopped this malicious email attack.


Mailboxes: More than 21,000 mailboxes

Target: National Healthcare Company

Email security bypassed: Microsoft Exchange Email Security

Techniques used: Social engineering, brand impersonation, replicating existing business workflows

The Email

The email was titled “[External] For name of recipient on Today, 2022” and the attacker chose to populate the victim’s name within the title of the email to bring a level of personalization to the attack. The body of the email claimed the recipient had two messages that were awaiting a response. The body of the email contained two bad URLs - one associated with the main call-to-action button and the other was shadowed as an unsubscribe link.


Fig 1: Snapshot of credential phishing email attack impersonating Zoom brand

The email included a Zoom logo at the top in order to instill trust in the recipient that the email communication was a legitimate business email communication from Zoom - instead of a targeted, socially engineered email attack.

The Phishing Page

The main call-to-action button within the email took victims to a fake landing page that looked like a legitimate Microsoft login page. Once directed, victims were prompted to enter his or her Microsoft account password (sensitive PII data) in order to verify their identity, prior to being able to view the messages that were awaiting a response.


Fig 2: Snapshot of fake landing page created to exfiltrate user credentials

We see similar styling of this fake landing page across many spoofed Microsoft login pages used within targeted attacks - with the page being dominated by the login prompt and the victim’s email address already being populated (removed from above image for confidentiality). This helps attackers foster a sense of trust in the victims, making them more likely to fall for these types of sophisticated email attacks.

Attack Flow

This email attack impersonated a well-known brand, with the intention to create a sense of trust in the victim. Attackers included legitimate logos and company branding across the malicious email and fake landing page, in order to exfiltrate the victims’ sensitive PII data. The socially engineered email was carefully constructed so the victim's curiosity and trust were leveraged, with the goal of exfiltrating user credentials.


Fig 3: Credential phishing email attack flow

The Power of Armorblox

The email attack bypassed native Microsoft Exchange email security controls because it passed all email authentication checks: DKIM, SPF, and DMARC.

Attackers used a valid domain to send this malicious email, with the goal to exfiltrate sensitive PII data. The sender domain received a reputation score of trustworthy and had one infection reported within the past 12 months. Microsoft Exchange Email Security marked this email as safe, which would have delivered it to more than 21,000 users’ mailboxes if it weren’t for Armorblox stopping this attack. Fortunately these end users are protected by Armorblox, who accurately detected this email attack that contained a malicious URL. Armorblox uses Natural Language Understanding (NLU) to understand the content and context of email communications to provide organizations and end users better protection from these types of targeted, socially engineered email attacks.

Recap of Techniques Used

This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.

Social engineering: The email title, design, and content aimed to induce a sense of trust and urgency in the victims. Trust was induced by impersonating a well-known brand (Zoom) and a sense of urgency through the language used within both the email and the fake landing page. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.

Brand impersonation: The email and fake landing pages included branding similar to legitimate Zoom branding found across communications and the website. The information included within the body of the email attack is similar to legitimate notification email communications, plus the logos used within both the email and landing page are the same in order to try and trick the victim and instill trust.

Guidance and Recommendations

1. Augment native email security with additional controls

The email highlighted in this blog got past native email security. For better protection and coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021 as well as Armorblox highlights this in the 2022 Email Security Threat Report, and should be a good starting point for your evaluation.

2. Watch out for social engineering cues

Since we get so many emails from service providers, our brains have been trained to quickly execute on requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email.

3. Follow multi-factor authentication and password management best practices

If you haven’t already, implement these hygiene best practices to minimize the impact of credentials being exfiltrated:

  • Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
  • Don’t use the same password on multiple sites/accounts.
  • Use password management software like LastPass or 1password to store your account passwords.

Learn how Armorblox protects your organization from phishing & brand impersonation attacks.

Take Brand Impersonation Tour

Experience the Armorblox Difference

Get a Demo