Attackers Leverage Fake Zoom Invites to Deliver Remote Access Tool During Tax Season
Attack Overview
Step 1: Email
The attack begins with an email impersonating a Zoom invitation, themed around tax season. The message creates urgency and encourages the recipient to click a link to view a fake meeting invitation.
- The email poses as a legitimate Zoom invite.
- It references tax documents to increase urgency.
- Targets are prompted to click a button labeled “View Invitation.”
Step 2: Fake Zoom Login + Redirect
Instead of a legitimate Zoom login, targets are redirected to a spoofed interface mimicking Zoom’s login page, initiating the deception.
- The interface imitates Zoom’s branding and login flow.
- Users believe they’re signing into a secure meeting.
- This builds credibility before delivering the actual payload.
Step 3: Download of ScreenConnect
Instead of a real Zoom installer, the target unknowingly downloads ScreenConnect—a remote support and access tool that gives the attacker full control over the machine.
- A malicious .exe file is presented for download.
- The file is named to resemble a Zoom installer.
- Once installed, attackers gain remote access capabilities.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- The message was sent from a trusted but compromised vendor domain that passed authentication checks.
- The phishing page was hosted on Vercel, a legitimate cloud platform.
- The final phishing URL was hidden within a click-tracking link.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Behavioral analysis of the unusual sender and message content.
- Suspicious URLs and links not previously seen in communication patterns.
- Natural language processing flagged urgency and financial context as signs of a themed phishing campaign.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.