Phishing, Other Threats Target Email and Video App Users

Insights and analysis by Paul Christian Pajares

We have seen several threats abusing tools utilized in work from home (WFH) setups. Cybercriminals are using credential phishing sites to trick users into entering their credentials into fake login pages of email and collaboration platforms and videoconferencing apps. Although these threats are not new, the need for better solutions is heightened due to the current experience and landscape.

[Related: The Rising Tide of Credential Phishing]

Here, we analyzed some of the tools that many companies use for WFH arrangements: Outlook on the web (formerly known as Outlook Web Access) and other Office 365 applications such as SharePoint, and videoconferencing apps WebEx and Zoom.

Phishing campaigns using Outlook on the web and Office 365 as lures

Credential phishing using Outlook on the web and Office 365 as bait has hit users in several countries. Data from our Smart Protection Network indicates over 50,000 phishing detections from January 2020 to April 27 of the same year, with the threats affecting users in the United States, Germany, Canada, Taiwan, Japan, Australia, Hong Kong, and other countries.

Figure 1. Phishing detections related to Office365 and Outlook from January to April 2020

Figure 2. Top countries with users encountering phishing attempts related to Office365 and Outlook

Employees commonly use Outlook mailbox in the office but some use the Outlook for the web version when accessing email outside the office. If not careful, they may mistakenly attempt to log in to a phishing page designed to look like Outlook’s login page.

 
Figure 3. Fake login page of Outlook for the web

Many employees are accessing files and collaborating online through Office 365. Sites associated with this are also spoofed and used as phishing campaign lures. The 2019 Cloud App Security Report also found that the number of unique Office 365-related phishing links blocked in 2019 jumped to more than double 2018’s total, according to data from the Trend Micro Smart Protection Network infrastructure. We also found that these threats not only targeted users, but also those who have administrator accounts.

Figure 4. Fake Microsoft login page

Phishing campaigns and other threats using WebEx and Zoom as lure

Threat actors deploy phishing campaigns that use videoconferencing apps such as WebEx and Zoom as bait. Besides phishing, other threats such as adware, cryptocurrency miners and other malware, and fraud also use these apps as lure. Data from the Trend Micro Smart Protection Network revealed an estimated 4,000 detections for threats targeting Zoom and WebEx users from January 2020 to April 27 of the same year. These affected users from Germany, the United States, China, Japan, Taiwan, Hong Kong, Singapore, and other countries.

Figure 5. Threat detections for Zoom and WebEx from January to April 2020

Figure 6. Top countries with users encountering phishing attempts and other threats related to Zoom and WebEx

WFH setups rely on videoconferencing apps for better communication. Cybercriminals take advantage of this by attempting to harvest credentials through phishing pages. Other threats using these apps as bait include malicious domains and fake apps.

Figure 7. Fake pages for logging in and joining a meeting in WebEx

Figure 8. Spoofed login page of Zoom

Threat actors either compromise legitimate sites or create malicious domains to host phishing pages. We traced the IP hosting locations of the sources of these domains and found that the United States has the highest unique IP count, with at 833. Trailing far behind is the Netherlands at 78 and Germany at 44.

Recommendations

Indicators of Compromise

Phishing pages targeting Office365 and Outlook on the web users

• 0utlook-owa.eu-gb.cf[.]appdomain[.]cloud
• alfazos.linkpc[.]net.
• authe1-microsoftmailaccounts[.]ml
• comeliveonvacation[.]com/outlook/
• covid939[.]com
• eronginshop[.]com/owa/
• helpdeskowa[.]at[.]ua
• kitchoan.co[.]th/.owa/
• mailboxfull[.]website
• micosfotsharepoint[.]xyz
• microsharepont[.]cf
• microsharepont[.]tk
• my.sharepoint.lee.elegance[.]bg
• office365[.]it.support[.]emailblox[.]com
• outlook.winmail01[.]cn
• web-outlooks[.]com
• wwedvm[.]appspot[.]com/outlook/

Phishing pages targeting WebEx and Zoom users

• crag-group[.]com/zoom/
• darenthvaley[.]co[.]uk/zoom/index.html
• globalpagee-prod-webex[.]com
• globalpagee-prod-webex[.]com
• global-prod-meetsolutions[.]com
• webexhost[.]191078[.]ru
• zoom-appointment.myftp[.]org

Download sites of fake WebEx and Zoom apps

• d11udsutejoxdq.cloudfront.net/{redacted}/zoom-us-zoom_2544611106.exe
• d36rrippt2k8a8[.]cloudfront[.]net/{redacted}/cisco-webex-meetings[.]exe
• dlnow[.]co/cisco-webex-meetings
• zoom-download[.]com
• zoom-us-zoom[.]dlnow[.]co

Other malicious sites related to WebEx and Zoom

• cccconferzoom[.]com
• ccconferzoom[.]org
• meeting-zoom[.]hopto[.]org
• suppot-webex-cisco[.]com
• videoconferencestore[.]com
• zoomcloud[.]xyz
• zoomeetup[.]com
• zoomvirtualbackgrouns[.]com