Keypoints
- Attackers send emails appearing to come from [email protected] containing a Zoom Docs link framed as a shared file or contract proposal.
- The Zoom Docs page contains a “Download Secure Attachment” link that redirects victims into the phishing flow.
- The campaign fingerprints the visitor’s operating system and only serves the credential capture page to Windows users.
- Windows visitors are presented with a convincing fake Microsoft login page to harvest credentials.
- Non-Windows visitors are shown a different, non-phishing landing page, indicating environment-aware delivery.
- The use of legitimate Zoom-hosted URLs reduces obvious indicators and increases the chance of successful clicks.
- Observed IOCs include specific Zoom Docs and redirect URLs and several IP addresses used by the infrastructure.
MITRE Techniques
- [T1566] Phishing – Actors send emails with legitimate Zoom Docs links to lure recipients and induce credential entry (‘through legitimate Zoom Docs links’).
- [T1003] Credential Dumping – The campaign captures account credentials by directing victims to a fake Microsoft login page (‘fake Microsoft login page to capture credentials’).
- [T1199] Exploitation of Trust Relationships – The phish exploits trust in Zoom and Microsoft services to reduce suspicion and increase click-through (‘exploits the trust associated with Zoom and Microsoft’).
Indicators of Compromise
- [URL] Malicious landing and redirect URLs observed in the campaign – hXXps://docs[.]zoom[.]us/doc/ixBg3fu7R7q8HF0LbqxETw?from=email, hXXps://entertaininmotionre[.]pro/IQCm/
- [IP address] Infrastructure IPs linked to redirects/hosts – 170.114.52.96, 104.21.37.223, 172.67.213.235
The technical flow begins with an email crafted to appear from [email protected] that links to a legitimate Zoom Docs resource presented as a shared contract or secure attachment. The Zoom Docs page contains a “Download Secure Attachment” link which initiates a redirect chain; this landing page is intentionally designed to create urgency and drive users to click without scrutiny.
Upon redirect, the infrastructure performs environment checks (OS fingerprinting). If the visitor is identified as running Windows, they are routed to a cloned Microsoft login page that captures credentials. Non-Windows visitors are instead shown a benign or alternate landing page, demonstrating selective delivery aimed at maximizing credential collection while minimizing detection.
From a detection and response perspective, monitor for Zoom-hosted links that redirect to external domains, inspect redirect chains and user-agent/OS-based content decisions, and flag unusual usage of [email protected] senders in unexpected contexts. The known IOCs include the Zoom Docs URL and the entertaininmotionre[.]pro redirect, plus IPs 170.114.52.96, 104.21.37.223, and 172.67.213.235, which should be used for network and log hunts.
Read more: https://cofense.com/blog/from-collaboration-to-deception-the-zoom-phishing-threat