A new sophisticated phishing campaign is actively targeting many corporate Zoom application users. It exploits the widespread popularity of Zoom meetings using deceptive fake meeting invitations. These carefully crafted invitations appear to come directly from the users’ trusted colleagues. The attack cleverly uses social engineering tactics to create a false sense of urgency. This prompts unsuspecting victims to quickly click on malicious links embedded in these emails. The phishing emails are designed to closely resemble official Zoom meeting notification messages. They include familiar company branding specific formatting and language requiring immediate user response. This campaign poses a significant security risk to businesses relying heavily on Zoom.
Once a link is clicked users are directed through a deceptive multi-stage sequence. The primary goal of this sequence is to harvest valid Zoom login credentials. Phishing emails often contain very urgent subject lines like “Missed Zoom Call” for example. Or they might use “Urgent Meeting Request” to elicit quick unthinking user responses. This targets busy professionals who are often juggling multiple communications throughout their workday. After clicking victims are then redirected to a convincing replica of a Zoom interface. This fake interface displays what appears to be colleagues already waiting in a video conference. It creates the strong illusion of a legitimate meeting currently in active progress. This tactic adds significant psychological pressure on the victim to join the meeting quickly.
Security researchers from SpiderLabs identified this new and effective phishing campaign just yesterday.
They officially noted its particular effectiveness against users on Monday May 19, 2025. This effectiveness is largely due to the clever implementation of pre-recorded video elements. These dynamic video elements convincingly simulate an actual live Zoom meeting environment for victims. The security team reported this attack represents an evolution in current phishing techniques. It actively uses these dynamic visual elements to help overcome potential user skepticism. The sophisticated infection mechanism carefully follows a meticulously designed five-stage attack process.
This detailed process begins when a victim receives the initial phishing email and clicks.
After the user clicks the link a fake Zoom loading screen is first presented. The page then transitions to display a pre-recorded video showing “participants” in a meeting. This creates a very convincing illusion for the user of a live conference call. Shortly thereafter users will receive a fake system disconnection notification message on their screen. This is then immediately followed by a fraudulent Zoom login prompt designed to capture credentials. The attack infrastructure for this campaign utilizes a number of different registered domains. Initial victim tracking is performed through the use of cirrusinsight.com specific subdomains. The fake Zoom meeting pages themselves are primarily hosted on various r2.dev cloud services. Analysis reveals stolen credentials are transmitted via Telegram API endpoints to the attackers. This method allows real-time data collection while often bypassing existing network security controls.
Reference:
