In this phishing attack, cybercriminals use a spoofed email address to impersonate Zoom and send a fake meeting invitation to the target. After setting the display name as “sharedcal” to obscure the actual sender address, the attacker incorporates the name of the target’s company into the subject line and a mimicked version of the Zoom logo into the email body to increase the appearance of legitimacy. The email claims to be an audio meeting invitation and includes a link to "Review Invitation," prompting the recipient to click and verify the meeting details. Should the recipient click on the button, they will be redirected to a spoofed Microsoft OneDrive login page that includes their company’s logo and a Cloudflare CAPTCHA—tactics that help make the prompts appear authentic. However, any information the targets enter into the fake login portal will be stolen by the attacker.

Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a spoofed email address, employs the use of a legitimate link, and lacks malicious attachments. Modern, AI-powered email security solutions flag that the sender is unknown to the recipient, detect links to suspicious domains, and recognize that the reply-to address has been spoofed to correctly identify the email as an attack.

Status Bar Dots
SCR 20241015 jqpc

Phishing attack posing as a Zoom invitation

Status Bar Dots
SCR 20241015 jrkz

Malicious link leads to this fake login portal to steal user credentials

Status Bar Dots
SCR 20241015 jrxp

Attack utilizes recognizable security prompts to trick targets into believing the invitation is legitimate

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
  • Legitimate Link: The link redirects through a calendar scheduling website, which can pass through basic link verification checks due to its seemingly legitimate structure.
  • Absence of Malicious Attachments: The email avoids including attachments, which can be easily flagged by antivirus systems, and instead uses a suspicious link to evade detection.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established sender-recipient interaction patterns.
  • Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
  • Spoofed Reply-To Address: The email's "Reply-To" address differs from the sender’s address, indicating possible spoofing and raising red flags.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Masked Phishing Link
Branded Phishing Page
Mismatched Reply-To Address

Theme

Fake Invitation

Impersonated Party

Brand

Impersonated Brands

Zoom

See How Abnormal Stops Emerging Attacks

See a Demo