Researchers at Abnormal Security have recently spotted an ongoing Office 365 phishing campaign that spoofs an official Zoom email address in order to impersonate a legitimate automated Zoom notification. The body of the email warns victims that their Zoom account has been disabled and urges them to click a button titled “Activate Account.” Clicking the button redirects users to a fake Microsoft login page hosted on a hacked website, which is then used to steal credentials. These credentials can then be sold or reused to gain more of a foothold in a network.
As Business Email Compromise (BEC) attacks cost companies upwards of $26 billion USD between 2016 and 2019, Binary Defense considers this a credible and very real threat. In order to prevent account phishing, Binary Defense recommends carefully confirming that the URL for the Microsoft login page is a Microsoft-owned domain. However, even some Microsoft-owned domains that can be used by Microsoft cloud hosting customers, including the Azure domain windows.net, have been used by attackers to host phishing pages.