Severity

Medium

Analysis Summary

Researchers have published their analysis of a recent Zoom-themed phishing campaign. Zoom themes have been widely used in phishing campaign since the increased utilization of the software during the pandemic. The body of the phishing email claims the recipient’s Zoom account has been suspended and requires verification. What is unique about this campaign as compared to other Zoom phishing campaigns is the use of the legitimate Constant Contact mailer to bypass email defenses. It appears a Constant Contact user’s account was compromised and subsequently used by attackers to send the phishing emails. If a user clicks on the link in the email, they are redirected through a series of URLs beginning with a Constant Contact referrer URL. The final landing page is a copy of the Microsoft Outlook login page. Any entered credentials are exfiltrated to the attacker. 

Impact

• Credential theft
• Exposure of sensitive information

Indicators of Compromise

URL

• hXXp[:]//r20[.]rs6[.]net/tn[.]jsp?f=001SZ-07esJCtmzsTnl-2ahmSsp3CpswNGStwYWGtC_zI013A-LeFdzSawGYz8wUt1zjLruZbLT67G_tPvkDNXRwcoznHPJSK7RS79ZwHLoicSBO6M6TrsPHkQ365MAq327s4IDhxhcGO2259_pUcjNZeRvwUri8p&c=3H_CP9T_hN834FXayT3bJQcfuvdg7UAdRmIAMdqKRos8XzZ8B
• hXXps[:]//sankamilan[.]com//httpd/
• hXXps[:]//fueamgm[.]com[.]br/httd/

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Always be suspicious about emails sent by unknown senders.
• Never click on links/attachments sent by unknown senders.