New Zoom Phishing Abuses Constant Contact to Bypass SEGs

The challenging year of 2020 saw many businesses increase their reliance on the internet, shifting to work-from-home workforces. Such a trend resulted in a blasting spike in video conferencing apps usage. Cyber criminals didn’t miss the chance to advantage their malicious perspectives. Starting from spring 2020, they registered many fake domains to deliver malicious ads and executables. Additionally, the video-conferencing “boom” opened broad opportunities for cyber-espionage. This trend continues to gain momentum this year. In January 2021, security researchers spotted yet another campaign profiting from Zoom phishing.

New Zoom Phishing

The new lure attempts to impersonate Zoom support for credentials stealing. Particularly, users receive a fake email stating that a Zoom server has been upgraded, so all customers should verify their accounts to maintain the ability to invite or join calls. The message offers users to follow the link, which redirects them to a fake phishing page able to gather credentials. All the emails display “Zoom – no-reply@zoom(.)us” in the “From” field, tricking victims into believing the email actually came from Zoom.

Notably, the phishing emails were sent via Constant Contact email marketing service. Hackers compromised a single user account to disseminate the attacks, presumably, in an attempt to bypass different Secure Email Gateways (SEGs). Researchers confirm that this method was successful since bogus emails were detected at least in five SEG environments.

Zoom Attack Detection

SOC Prime team is keeping a close eye on Zoom attacks to deliver lightning-speed detections and ensure proactive defense from such threats. Previously, we published a practical guide for users on hardening Zoom service. Also, you can download almost two dozen rules from Threat Detection Marketplace to enhance your defense from bad Zoom domains, fake installers, and bogus invites.

A dedicated community rule for the latest phishing campaign is also already available at Threat Detection Marketplace thanks to Osman Demir, one of the most prolific Threat Bounty developers:

https://tdm.socprime.com/tdm/info/p8hnRPj8Vy7p/4dXzYncBmo5uvpkju4Ha/#rule-context

The rule has translations to the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix

EDR: Carbon Black

MITRE ATT&CK: 

Tactics: Initial Access

Techniques: Spearphishing Link (T1566)


Searching for the best SOC content to enhance your capabilities in combating dynamically emerging cyber-threats? Get a free subscription to the Threat Detection Marketplace and reduce the meantime of cyber-attack detection with our 90,000+ SOC content library. Want to craft your own Sigma rules and enhance threat hunting initiatives? Join our Threat Bounty program to share your insights with the SOC Prime community!