Threat Watch

Ongoing Office 365 Phish Uses Fake Zoom Suspension Alerts

Researchers at Abnormal Security have recently spotted an ongoing Office 365 phishing campaign that spoofs an official Zoom email address in order to impersonate a legitimate automated Zoom notification. The body of the email warns victims that their Zoom account has been disabled and urges them to click a button titled “Activate Account.” Clicking the button redirects users to a fake Microsoft login page hosted on a hacked website, which is then used to steal credentials. These credentials can then be sold or reused to gain more of a foothold in a network.

ANALYST NOTES

As Business Email Compromise (BEC) attacks cost companies upwards of $26 billion USD between 2016 and 2019, Binary Defense considers this a credible and very real threat. In order to prevent account phishing, Binary Defense recommends carefully confirming that the URL for the Microsoft login page is a Microsoft-owned domain. However, even some Microsoft-owned domains that can be used by Microsoft cloud hosting customers, including the Azure domain windows.net, have been used by attackers to host phishing pages.

https://www.bleepingcomputer.com/news/security/persuasive-office-365-phishing-uses-fake-zoom-suspension-alerts/