Threat Research

Fake Zoom Call Lures for Zoom Workplace Credentials

Cofense
Fake Zoom Call Lures for Zoom Workplace Credentials

A new phishing campaign exploits fake Zoom connection issues to steal user credentials through deceptive emails and realistic fake Zoom meeting pages. The attack uses urgency tactics and URL masking to trick victims into entering login details, which are then exfiltrated via Telegram. #ZoomPhishing #CirrusInsight #Telegram #CredentialHarvesting

Keypoints

  • Threat actors send phishing emails with urgent Zoom-themed messages to create a sense of panic and prompt quick action.
  • The phishing email contains a deceptive Zoom meeting hyperlink that uses URL masking and multiple redirects to a fake landing page.
  • The fake Zoom meeting page mimics legitimate Zoom visuals and displays a “meeting connection timed out” message before redirecting to a credential harvesting login form.
  • The phishing login page pre-fills the user’s email address to increase credibility and lure victims into submitting their passwords.
  • Exfiltration of captured credentials, along with IP address and location data, occurs via Telegram’s messaging API, sending data directly to the threat actors.
  • This phishing method exploits employee reliance on Zoom credentials, risking lateral movement and potential Advanced Persistent Threats (APTs) inside affected organizations.
  • Cofense combines phishing detection, rapid remediation, and real-time security awareness training to combat such sophisticated phishing tactics.

MITRE Techniques

  • [T1566] Phishing – Threat actors send emails impersonating Zoom with urgency to deceive users into clicking malicious links (‘Email body uses phrases like “URGENT – Emergency Meeting” and “critical issue” to induce haste’).
  • [T1204] User Execution – Victims are manipulated to click on deceptive hyperlinks and enter credentials on phishing pages (‘Users click on Zoom-themed URLs that redirect through masked URLs to a fake login page’).
  • [T1086] PowerShell – Although not explicitly mentioned, the data exfiltration via Telegram messaging API suggests possible command-line or script usage to send stolen credentials (‘Credentials along with IP and region are exfiltrated via Telegram’).
  • [T1176] Browser Bookmark Modification – The campaign uses URL masking with links like ‘tracking.cirrusinsight.com’ and multiple redirects to hide the final malicious landing page (‘Deceptive hyperlinking or URL masking with multiple redirects to a malicious landing page’).

Indicators of Compromise

  • [URL] Phishing and payload delivery URLs – hxxps://tracking.cirrusinsight.com/e39ee0e9-c6e2-4294-8151-db8d9e454e24/one-ebext-in-openurl, hxxps://pub-51656ae3d0ef4f2ba59cdfc6830c8098.r2.dev/meeting.htm
  • [IP Address] Infection and payload IPs – 18.209.207.253, 149.154.167.220, 172.67.193.64, 104.21.92.123
  • [Domain] Malicious domains involved in redirection – tracking.cirrusinsight.com, one.ebext.in, hubs.ly
  • [Telegram Bot] Exfiltration endpoint – api.telegram.org/bot7643846141:AAH3xkttszS0hQgqj7PaS_f7XetLz-_DTQc/sendMessage

Read more: https://cofense.com/blog/fake-zoom-call-lures-for-zoom-workplace-credentials

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint