Cyber-thieves are impersonating videoconferencing platform Zoom to steal victims' Microsoft credentials.
New research published today by Abnormal Security revealed that Zoom users are being targeted with fake notification emails that contain malicious links.
Describing the conceit, researchers said: "This attacker impersonates Zoom by crafting a convincing email and landing page that mimics meeting notifications from Zoom. The email masquerades as an automated notification stating that the user has recently missed a scheduled meeting and implores the user to visit the link for more details and a recording of the meeting."
When the user clicks on the legitimate-looking Zoom link, they are taken to a fake Microsoft login page with the name of the user’s organization and "Zoom" above the sign-in location.
"This indicates that the attackers are more interested in the user’s Microsoft credentials, which can be used to access a larger trove of sensitive information," concluded researchers.
The attack was observed occurring across several organizations with specific elements such as usernames customized to target each specific recipient.
While the attackers attempted to cover their tracks by making it appear as though the malicious notifications were stemming from multiple sources, researchers picked up on tell-tale signs that indicate they were linked.
"Although the attackers are trying to disguise their location by using many different VPN sources, the messages all look similar, were sent during a short, discrete time period, and use the same VPN services, which leads us to believe that these are coordinated attacks by the same malicious actor," wrote researchers.
Asked how sophisticated this attack was on a scale of one to ten, with ten being the most sophisticated, Abnormal Security's VP of cybersecurity strategy, Ken Liao, rated it a six.
"Our models picked up on the abnormalities of the email, found in the 'Techniques to Detect' image on our blog, which included suspicious features like suspicious IP geolocation as well as unusual sender," Liao told Infosecurity Magazine. "However, the attacker created links with the brand name and customized landing pages for each organization they targeted, so there was some tailoring of the attacks to the specific targets."