HQ/EMEAFind out how we can help your business
Researchers uncovered an ongoing phishing campaign that targets Zimbra credentials. Based on reports, the campaign that started last April targets the users’ credentials of the Zimbra Collaboration software platform.
Moreover, the attackers use various social engineering tactics, such as email server updates, account deactivation, or other issues that concern the users. The operation’s phishing email appears to come from an email server admin that contains an HTML archive that directs a target to a fake Zimbra login page.
In some instances, the threat actors have also utilised previously compromised Zimbra accounts to disseminate more phishing emails. Subsequently, the attackers harvest and exfiltrate the submitted credentials to one of their servers.
The abundance of usage of the Zimbra Collaboration platform across multiple organisations has allowed the campaign to be successful despite its unsophisticated tactic. Hence, the threat operators have significantly profited from this campaign.
The ongoing phishing campaign that targets Zimbra credentials is not picky with its victims.
According to investigations, the phishing campaign that harvests Zimbra credentials has attacked small to medium businesses and government entities. The most compromised entities globally came from countries such as Italy, Ecuador, and Poland.
The researchers explained that their investigation showed that phishing heavily depends on social engineering tactics and user engagement. However, the actors have also employed other strategies.
In a similar campaign earlier this year, the advanced persistent threat group Winter Vivern exploited a critical vulnerability that targeted the webmail portals of diplomatic, government, and military entities across European countries.
However, the most recent campaign resembling the ongoing phishing attack uses a primary distinction that an HTML link. The link redirects its targets to a fraudulent Zimbra login page. The attack has been successful so far as the operators directly attach the fake login webpage link in the phishing email.
Cybersecurity experts urge organisations to employ email security solutions since the new phishing campaign heavily relies on phishing emails. Organisations should implement the latest security updates and use published IOCs related to the operations to block indicators at the endpoints and mitigate the chances of compromise.
