Threat Hunting Content: Phishing Campaign Using Zoom Invites

Zoom-themed lures continue to be actively used by cybercriminals, taking pride of place in the top ten most used topics in phishing campaigns. From the very beginning of the lockdown, as the Zoom popularity grew, the number of attacks increased, and even after researchers discovered serious security problems with the service, many organizations did not refuse to use it. 

On this issue, we previously published a practical guide to hardening Zoom service, and there are already over a dozen rules available in Threat Detection Marketplace for detecting bad domains, fake installers, and more. The list of rules can be found here.

Today, in our Threat Hunting Content column, the community rule submitted by Osman Demir that detects phishing campaign using Zoom invites: https://tdm.socprime.com/tdm/info/3VenDiAFwIuY/mU-9t3IBQAH5UgbBW2bJ/?p=1

Researchers from Cofense observed a new phishing campaign that acts as a video conference invitation to obtain Microsoft credentials from users. The campaign is aimed primarily at remote workers who are unfamiliar with teleconferencing and the emails that come with using the service. Some users may not have the best home office set up and work on monitors that barely afford them a proper view, making it difficult to look over these emails closely. The email itself is reminiscent of a legitimate communication- the blue Zoom logo, a vague mention of a video conference for users to join, and a link for them to review said invitation; it’s inconspicuous enough and mostly free of the grammatical mistakes. 

The rule has translations for the following platforms:

SIEM: ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio, 

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Initial Access

Techniques: Spearphishing Link (T1192)