In this attack, threat actors targeted a VP of Talent Acquisition with an email designed to look like an invitation to a Zoom meeting. The header and footer links all direct to the expected URLs and only the Start Meeting button contains a malicious destination URL—likely either a phishing page or a malware delivery page. The sender display name appears as expected and it’s only upon viewing the actual sender address that the mismatch is revealed.

Status Bar Dots
UA Fake Zoom Meeting Invite Email

This attack is a good example of how modern threat actors will often keep malicious elements to a minimum in order to reduce potential red flags raised either by the recipient or the security software.

How Does This Attack Bypass Email Defenses?

The attackers used a Gmail account to send the email, which makes it challenging for email defenses to identify the malicious intent. Additionally, the email passed authentication checks for DKIM and DMARC and only triggered a SoftFail message for SPF. This may cause some email security systems to overlook the email as it doesn't meet the criteria for a complete failure.

How Can This Attack Be Detected?

A proactive approach to security, such as behavioral analysis, can stop such attacks that use never-before-seen URLs. Content analysis can also detect the presence of suspicious URLs and requests, triggering an additional layer of scrutiny.

What are the Risks of This Attack?

If the recipient clicked on the provided link, their device could potentially be compromised, putting the organization at risk of data theft or loss. Moreover, if more than one employee falls victim to this attack, the entire organization's security can be compromised, and the attacker can use the access to launch more attacks from the compromised devices.

Analysis Overview




Credential Theft


Spoofed Display Name

See How Abnormal Stops Emerging Attacks

See a Demo