The Recon SOC recently identified a significant uptick in phishing campaigns that exploit the legitimate infrastructure of Zoom Events.
These phishing attempts originate from noreply-zoomevents@zoom.us, bypassing numerous email security filters. These messages are cryptographically signed (SPF/DKIM/DMARC) and originate from Zoom Events, making it exceedingly difficult for users to identify them as phishing.
Headers from an example email we’ve observed show the following authentication information:
“Pass (protection.outlook.com: domain of bounce-sg.zoom.us designates 159.183.192.104 as permitted sender); helo=o26.sg.zoom.us; pr=C”
“spf=pass (sender IP is 159.183.192.104) smtp.mailfrom=bounce-sg.zoom.us; dkim=pass (signature was verified) header.d=zoom.us;dmarc=pass action=none header.from=zoom.us;compauth=pass reason=100”
We have observed both credential phishing and malicious desktop applications, urging users to “View file” and “Download Desktop App Now”. In all cases, there was an initial link to hxxps://docs.zoom.us/doc/. From there, users were either redirected to an AitM credential phishing site, or a malicious ScreenConnect[.]exe download. 
This is not an entirely new technique for AitM phishing using hxxps://docs.zoom.us/doc/. However, unlike previously reported campaigns, this latest threat includes the abuse of Zoom Events.
The credential phishing emails utilize ChainLink Phishing, calling users to open a link to a document/file, leading to hxxps://docs.zoom.us/doc/, directing them to click to another link that displays a fake verification request (CAPTCHA), then to an AitM Microsoft login page where they are prompted to enter their credentials.
Example Malicious Email:
Sample hxxps[://]docs[.]zoom[.]us/doc/ page:
 
Fake verification page:
Phishing landing page:
 
The malicious download phishing emails utilize ChainLink Phishing, calling users to open a link to a document/file, leading to hxxps://docs.zoom.us/doc/, then to a malicious download. It appears that the same email is sent to multiple users across different organizations, all with the same docs.zoom.us link.
At one point during our investigation, for a new email, we found that several users were accessing the shared Zoom doc at the same time.
Example Malicious Email:
 
hxxps://docs.zoom.us/doc/ page:
This sample is now even more concerning, as it’s downloading a malware payload - which we’ve identified as a renamed ScreenConnect binary.
App Protection Warning on Fake ScreenConnect Binary:
There are other recently uploaded examples with similar file names and similar docs.zoom.us links, most likely attributed to this same campaign, that we found on ANY.RUN.
Customers protected by Sublime and Recon's Advanced Email Protection (AEP) offering will find these messages automatically quarantined. Recon's engineers started crafting the necessary detection rules to identify these threats within hours of their initial discovery.
Sublime MQL Detection Logic:
We submitted a case to Zoom on Thursday evening, alerting them of the fraudulent activity sent from their platform, and offering samples. Our case was closed, saying that enforcing DMARC prevents this, despite our observation of DMARC passing. Friday afternoon, we opened another case and submitted samples. It appears that these attackers are leveraging compromised user accounts with access to “Zoom Events Email Builder”.
AitM Phishing URLs:hxxps[://]office[.]regencyoutdor[.]com/JUinaeSohxxps[://]od9[.]qkipikpp[.]es/PFsfkU!WQgMbZ/hxxps[://]ffdsjf9[.]qkipikpp[.]es/PFsfkU!WQgMbZ/hxxps[://]call[.]qkipikpp[.]es/PFsfkU!WQgMbZ/hxxps[://]0ffgyedfrvl[.]qkipikpp[.]es/H7mozVCPB@35vHfGNhxxps[://]foiufl[.]qkipikpp[.]es/H7mozVCPB@35vHfGNhxxps[://]dnffeerof9[.]qkipikpp[.]es/PFsfkU!WQgMbZ/hxxps[://]rrof9[.]qkipikpp[.]es/PFsfkU!WQgMbZ/hxxps[://]scjool[.]qkipikpp[.]es/H7mozVCPB@35vHfGNhxxps[://]trtiro[.]qkipikpp[.]es/PFsfkU!WQgMbZ/hxxps[://]79ml2xl73[.]gwzimifoi[.]es/mxci!oD9ymNViz1JTv/hxxps[://]looil[.]qkipikpp[.]es/H7mozVCPB@35vHfGNhxxps[://]swiftde[.]qkipikpp[.]es/PFsfkU!WQgMbZ/hxxps[://]truiro[.]qkipikpp[.]es/PFsfkU!WQgMbZ/hxxps[://]sso[.]qkipikpp[.]es/PFsfkU!WQgMbZ/hxxps[://]tuiriro[.]qkipikpp[.]es/PFsfkU!WQgMbZ/hxxps[://]invest[.]qkipikpp[.]es/PFsfkU!WQgMbZ/hxxps[://]pgjonesadr[.]com/jshxxps[://]yuide[.]qkipikpp[.]es/PFsfkU!WQgMbZ/hxxps[://]spsol[.]qkipikpp[.]es/H7mozVCPB@35vHfGN
Renamed Screenconnect Malicious payload URL:hxxps[://]okekeimmigrationlawyer[.]com/js/https://www.joesandbox.com/analysis/1719604