A new phishing attack is targeting Microsoft 365 (formerly Office 365) users in the form of an email notification for a Zoom account suspension. The email aims to steal users’ Microsoft 365 credentials. The attack was spotted and documented by Abnormal Security (via BleepingComputer).
The attack seems familiar to the one that was spotted in May, where a fake Teams email would navigate users to a duplicate Office 365 login page. With the popularity and adoption of Zoom increasing due to increased remote collaboration in the times of the pandemic, such account suspension emails spike users’ interest and warrant immediate attention. In this case, users mostly rush to correct the problem without any suspicion to avoid losing access to the tool that may hinder their work.
The email for the Zoom suspension notification interestingly comes from an email address that spoofs the official domain, says the source. It mimics an automated email notification that links to a face Microsoft 365 login page, prompting users to enter their Office 365 credentials. The credentials are then compromised by hackers. The research firm adds that the phishing email has been served to more than 50,000 users.
One sign that points to the illegitimacy of the email is the “zoom” branding in the email body without the capitalization of the first letter. Even if users click on the ‘Activate Account’ link in the email, the ‘Outlook’ logo or the domain of the Office 365 login page are telltale signs. The stolen credentials could be used in Business Email Compromise (BEC) scams that exploit cloud email services like Microsoft 365 and Google G Suite.