Abuse of Zoom Docs & Events in Latest Phishing Campaign

A sophisticated phishing campaign is actively exploiting Zoom’s legitimate infrastructure, specifically Zoom Events — to launch both credential harvesting and malware distribution attacks. The phishing emails originate from noreply-zoomevents[@]zoom[.]us, making use of fully authenticated email headers (SPF, DKIM, DMARC), thereby bypassing traditional email security filters. Victims are tricked into accessing a malicious Zoom-hosted link that redirects them to either a fake login portal or downloads a renamed ScreenConnect binary.

Severity Level: High

Threat Overview

1. Initial Discovery: Recon SOC noticed a spike in phishing emails impersonating Zoom Events invitations.
2. Technique Used – ChainLink Phishing: A method where users are led through multiple legitimate-looking domains and CAPTCHAs before reaching the final malicious payload or phishing site.
3. Redirection Chain:
   • Initial Link – Zoom Hosted (docs.zoom.us/doc/)
     • Victims receive an email from a legitimate Zoom domain (noreply-zoomevents[@]zoom[.]us) containing a link to hxxps[:]//docs.zoom[.]us/doc/. The emails urge victims to view a document or download a desktop app.
     • This URL is typically associated with Zoom documentation but is being abused to add credibility and bypass URL filters.
   • Fake CAPTCHA Verification Page
     • Users are redirected to a CAPTCHA-style page, simulating a security check (e.g., “Verify You’re Not a Robot”).
     • This page is not hosted by Zoom and serves two purposes:
       • Obfuscate the true destination.
       • Add legitimacy and delay automated scanning tools.
   • Final Malicious Destination (Branching)
     • Branch A – Credential Theft (AitM):
       • Users are redirected to a Microsoft login phishing page (Adversary-in-the-Middle setup).
       • Page captures both credentials and session cookies (bypassing MFA) by proxying the legitimate Microsoft login in real-time.
     • Branch B – Malware Delivery:
       • Instead of a login form, the victim is served a malicious file download, typically disguised as a Zoom-related app or document.
       • The payload is a renamed variant of ScreenConnect remote access tool (e.g., Zoom_Viewer.exe).
       • Once executed, it provides persistent remote access to the attacker.

Recommendations

1. Educate users to verify “Zoom Events” invites through known-good channels (e.g., internal calendar vs. email invite) and not to click on links or download files from unexpected “Zoom Events” emails.
2. Restrict installation of remote access tools (like ScreenConnect) via application allowlisting.
3. Flag emails from noreply-zoomevents[@]zoom[.]us containing links to docs.zoom[.]us/doc/ combined with urgent CTAs like “View File” or “Download App”
4. Detect ChainLink Redirection Patterns: docs.zoom[.]us/doc/ → CAPTCHA → login page or file download
5. Alert on ScreenConnect.exe or renamed variants executed from %Downloads% and Outlook or browser spawning ScreenConnect installer or unrecognized binaries.
6. Enforce MFA on Microsoft 365 and cloud apps to limit credential abuse from AitM phishing.
7. Audit for OAuth grants or unusual login activity post-phish-click events.
8. Block the IOCs at their respective controls:
   https://www.virustotal.com/gui/collection/a435fc31ad16fe35fc7f346edfc25fef9c81f1543b299ff3cecb4a418234b5cb/iocs

MITRE ATT&CK

Source:

• https://blog.reconinfosec.com/zoom-events-phishing

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.