Keypoints
- Email contained an HTML attachment (filename includes a date) used as the first-stage payload.
- Attackers used a Zoom-like domain and placed an “Access Key” in the email body to increase perceived legitimacy.
- Opening the HTML shows a page that repeats the access key and prompts the user to click a link that requests the key again.
- Submitting the key and completing captcha-like checks triggers a download hosted on an AWS URL masquerading as a Zoom download link, then redirects to the legitimate Zoom site.
- The downloaded file opens a poorly rendered Microsoft-themed login page (Outlook/Teams), with the victim’s email pre-populated and the password requested twice to confirm entry.
- Key red flags: inconsistent branding (Zoom → Outlook/Teams), unsolicited access key prompt, and AWS-hosted payload disguised as a Zoom resource.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The campaign delivered a malicious HTML attachment as the first stage: ‘The attachment, which includes the date in the name, is an HTML file that will act as the first stage of the attack.’
- [T1204.002] User Execution: Malicious Link – The page prompts the user to click and enter the access key, engaging them to allow a download: ‘Once the link is clicked a prompt appears asking for the access key previously mentioned… the actual purpose of this input is to engage the user to allow for another download to occur.’
- [T1105] Ingress Tool Transfer – A file is downloaded from an external host (AWS) to the victim machine: ‘One thing to watch out for also is the URL used to host the download here. It is an AWS URL disguised as though it were a legitimate Zoom URL.’
- [T1566.002] Spearphishing Link – The workflow leads victims through linked content and redirects to credential-capturing pages: the HTML redirects and link flow culminate in a fake login to harvest credentials as described in the article.
- [T1036] Masquerading – The campaign uses a Zoom-esque domain, AWS-hosted resources disguised as Zoom, and a final redirect to the legitimate Zoom page to appear authentic: ‘We note the use of a Zoom-esque domain.’
Indicators of Compromise
- [Domain] phishing sender/links – Zoom-esque domain used in the email and links (no exact domain provided in article).
- [URL] download host – AWS hosted download URL disguised as Zoom (article notes an “AWS URL disguised as though it were a legitimate Zoom URL”).
- [File] initial attachment – malicious .html attachment with date in filename (used as first-stage dropper).
- [File] downloaded payload – file downloaded after supplying access key and captcha checks (filename not specified in article).
- [Source] reporting link – Cofense blog post documenting the campaign – https://cofense.com/blog/access-key-used-in-voice-messaged-phishing/
The technical procedure begins with a targeted phishing email that contains a dated HTML attachment. When the recipient opens that attachment, it displays a landing page that reiterates an “Access Key” shown in the email to signal legitimacy and prompts the user to click a link to “view the message.” That click opens a prompt where the user is asked to re-enter the access key and pass through several captcha-like checks; the interaction is designed to persuade the user to permit an additional download.
After the user supplies the access key and completes the checks, the page initiates a download of a file served from an AWS URL that is disguised to resemble a legitimate Zoom resource. Following the download, the site redirects the browser to the real Zoom page to reduce suspicion. The downloaded file, when executed locally, renders a poorly formatted Microsoft-themed login interface (referencing Outlook and Teams) and pre-populates the user’s email address to focus on harvesting the password.
The credential-capture flow requests the password twice (a common technique to confirm correctness) and then displays a looping outlook animation while credentials are exfiltrated. Technical indicators to watch for include unexpected .html attachments with dates in the filename, requests for one-time “access keys” inside emails, AWS-hosted download URLs presented as Zoom links, and inconsistent branding that switches from Zoom to Microsoft login prompts.
Read more: https://cofense.com/blog/access-key-used-in-voice-messaged-phishing/