four people using Zoom to video call eachother

Spear Phishing attacks use Zoom to steal users’ Microsoft login information

A new spear phishing attack has been discovered by the IT security experts at Armorblox, in which scammers spoof Zoom users to steal their Microsoft Exchange Server login information. The attack managed to get through Microsoft Exchange email security, and more than 21,000 people were targeted.

Millions of businesses all around the world use Microsoft Exchange Server as their mail and calendar server. As a result, cybercriminals find it to be a valuable target.

Phishing attacks run by appearing to be a well-known brand, service, or business, often to trick victims into giving private account information. This is exactly what happened in a recent spear phishing attack that Armorblox, a security company, examined. The attacker scammed Zoom to get Microsoft user login information.

How is the phishing attack performed?

The phishing email had the subject line “For [name of recipient] on Today, 2022” and identified each user’s real name as the receiver. It was sent to more than 21,000 users at a major healthcare company. The email message indicated that the recipient had two messages waiting for their answer and used the Zoom logo and brand name.

Spear Phishing Email
Phishing Email using a Zoom brand (Armorblox)

Users who clicked the primary button were sent to a fake landing page that acted like a Microsoft login page. Before they could access the messages, the victims had to enter their Microsoft account password at the site. To further ensure users of their security, the landing page has already filled the username box with the user’s genuine email address. The attackers would then collect any Microsoft credentials entered on the page.

The first spear phishing attack managed to bypass the standard email authentication checks and thwarted Microsoft Exchange email security controls.

What made the attack more convincing?

This attack used a series of obfuscations to convince unknowing users of its authenticity. In the first step, social engineering is used. The email tries to raise the victim’s interest and sense of urgency by mentioning that two messages are awaiting a response.

Spoofing is the next technique. The strategy takes advantage of trust and familiarity by faking a well-known company like Zoom and using Microsoft as the key for unlock the waiting messages.

The attackers tried everything to get through security protocols by sending the email from a recognised and trustworthy domain. The email was designed in a way that it wouldn’t generate any red flags with email security software.


People often forget to properly read their emails because of the rush of emails that fill their inboxes. Users should take the time to double-check important details, such as the sender’s name, and email address, before responding to an email.

The fact that the email managed to get through Microsoft’s security measures is reason that you need to add more strong and layered technologies to your native email protection. Security Awareness Training helps your users to spot scam emails which will inevitably bypass your security.

It’s best to avoid using the same password over several websites since one compromised account might help attackers in breaking into other accounts that share the same credentials. A strong option is to use a password manager to avoid password reuse while still relying on strong and complicated passwords.

Another great security tip is which hinders attackers logging in using stolen account credentials is to require MFA.    

Help your colleagues spot these phishing emails by starting your Phishing Tackle security awareness training today with our two-week free trial.

Thanks to BreachAware for further raising awareness of this threat.

Recent posts