VTA-00355 – Zoom Phishing Email:
1. Share this security advisory to your end users and to be alert of this phishing threat.
2. Configure the IOC information provided below into your current network, perimeter and endpoint threat defense mechanisms e.g. Endpoint Advanced Threat Protection (ATP), Network Firewall, Web Application Firewall (WAF), Email and Web Content Filtering Policies, where applicable.
3. Download and install OTX Endpoint Security. Subscribe to Provintell-Lab’s OTX pulses and scan endpoints for the presence of IOCs.
Zoom is one of the most popular cloud-based video conferencing services that has been heavily utilized during this pandemic. Threat actors are taking advantage and trying to abuse these well-known video conferencing services. Cofense Phishing Defense Center (PDC) has analyzed an email which attacker send an email that impersonating Zoom.
The content of the email claims that Zoom server upgrade had been down and the recipient will not be able to invite or join call if they do not verify their account. The attacker used Constant Contact to perform the phishing attack which can be used to bypass various Secure Email Gateways (SEGs). Once the victim clicks on the “Activated Now” button, Constant Contact’s tracking URL will redirect user to a fake Microsoft login page. The credential being inputted into this login page will be harvested by attacker and the victim will be redirected to a Microsoft inbox.
Initial Access, Reconnaissance
Phishing for Information, Phishing
Indicator of Compromise (IOC) Detection:
Contributed by: Mr22k