Researchers on Thursday disclosed a phishing scam on a major North American online brokerage company in which a victim starts off on a legitimate Zoom session only to wind up getting their Microsoft credentials stolen after landing on a fake Microsoft Outlook log-in screen.
In a blog post, Armorblox researchers said the email attack bypassed the native Microsoft email security controls because Microsoft determined that they were from a safe sender to a safe recipient, or were from an email source server on the IP Allow List.
The researchers added that the email attacks replicated workflows that most people use every day. Most office workers use Zoom all the time, so it’s part of their normal routine to click on “Start Meeting” — especially since the emails from Zoom are all similar in nature and most users are accustomed to them.
“Phishing campaigns are typically focused on obfuscating or misrepresenting information to get users to click into and give out their credentials," said Lauryn Cash, product marketing manager at Armorblox. “We have seen similar tactics where one SaaS service is misrepresented and redirected to fake single sign-on services, such as Microsoft’s or Okta’s log-in pages.”
Hank Schless, senior manager, security solutions at Lookout, said social engineering has become one of the biggest challenges that IT and security teams confront. While it’s not a new challenge, as the threat actors behind these campaigns become more adept, Schless said it becomes more difficult to identify and protect against their malicious goals. The threat actors know that social engineering has become the most effective on personal channels such as social media, third party messaging apps, and even dating apps. Organizations that let employees use their own smartphones and tablets for work in a bring-your-own-device (BYOD) scenario are at even greater risk, Schless said, as employees have both personal and work apps on those devices.
“The social engineering problem will never go away and attackers will always have a myriad of contextual triggers to use as lures,” Schless said. “More recently, attackers have been using fake links to commonly used platforms as the contextual hook for their phishing campaigns. In the age of hybrid work, we’ve been conditioned to automatically click into any link from Zoom, Google Docs, and Microsoft Office. Attackers know this and use the inherent trust we have in seeing those names against us.”