Back to All Attack Library
Attackers Weaponize Zoom Docs to Phish Targets Using Fake Microsoft Portal
A threat actor exploits Zoom Docs to deliver a file with a malicious link that utilizes a Cloudflare Turnstile before redirecting to a phishing page.
Attack Target Summary
- Type: Credential Phishing
- Industry: Financial Services
- Recipient: Portfolio Manager
- Attack Vector: Link-based
- Technique: Legitimate Hosting Infrastructure
Attack Overview
Step 1: Email (Shared Document Sent via Zoom Docs)
- Sent using Zoom Docs’ real platform; all elements of email are legitimate
- Requests recipient review document purportedly related to proof of payment
- “Open doc” redirects to actual Zoom Docs portal
Step 2: Initial Link Destination (Zoom Docs portal)
- Shared file hosted on Zoom Docs
- File contains link purportedly to view shared document
- “DOWNLOAD FILE” redirects to Cloudflare Captcha
Step 3: Verification (Cloudflare Turnstile)
- Limits automated link crawling and URL analysis features
- Increases appearance of legitimacy
- Completing Cloudflare Turnstile redirects to spoofed Microsoft login portal
Step 4: Final Destination (Spoofed Microsoft Login)
- Phishing page designed to mimic Microsoft login screen
- Any information entered will be stolen by attacker
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- Verified Source: Email originated from a domain passing sender authentication checks.
- Legitimate Links: File was hosted on Zoom Docs, a legitimate and trusted service.
- Use of Human Verification Test: Cloudflare Turnstile limits automated URL analysis.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Unknown Sender: Recipient has had no previous correspondence with sender.
- Content Analysis: Content analysis algorithms flag unusual content.
- Suspicious Link Analysis: Abnormal detects suspicious links in the email body.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.