A phishing campaign using a fake Zoom notification is targeting employees in an effort to steal Office 365 credentials, looking to trick people into entering their user names and passwords into a lookalike website.
With employees of so many companies working from home, people have switched to cloud apps in greater numbers. That includes Office 365 apps, which also happen to be greatly sought after hackers.
Such credentials are of use to bad actors looking to compromise systems and networks via remote desktop protocol (RDP) vectors or other methods. Since people tend to reuse credentials on multiple services, having access directly to stolen Office 365 credentials are very useful.
The attack was identified by Abnormal Security, which noted that the campaign was very short-lived, albeit intense, and distributed via the same VPN service. The similar text models also indicated a common attacker.
“This attacker impersonates Zoom by crafting a convincing email and landing page that mimics meeting notifications from Zoom” says the notification. “The email masquerades as an automated notification stating that the user has recently missed a scheduled meeting and implores the user to visit the link for more details and a recording of the meeting.”
The fake landing page is an exact copy of the Microsoft login page, giving the attack more credence, but it’s designed to steal credentials. Employees should always be wary of emails asking for their user names and passwords, even when the linked website appears genuine.
If you think that you’ve ever entered your Office 365 credentials in a phishing website, notify the IT department and change your password. As usual, it’s imperative to never use the same credentials on multiple websites and to choose a strong and unique password every time. If possible, activate two-factor authentication.
Such phishing campaigns usually target employees for their remote access to the company’s infrastructure. While such access was much less available before the pandemic, many more people have been granted access, and that only means a much larger surface attack area.