A sophisticated phishing campaign is currently targeting corporate users by mimicking urgent Zoom meeting invitations from colleagues, according to recent reports from cybersecurity analysts.
The attack leverages convincing social engineering, tricking recipients into believing the messages are genuine and related to high-priority business matters.
The phishing emails, which impersonate colleagues or internal stakeholders, contain links designed to lure recipients to a counterfeit Zoom meeting page.
These landing pages are crafted to closely resemble the authentic Zoom interface complete with simulated video feeds or images of “participants” to establish a false sense of legitimacy.
The attackers’ goal is to coax users into entering their corporate login credentials, which are then harvested for malicious purposes.
Attackers Use Realistic Meeting Pages
This campaign makes use of multiple layers of deception. The fake invitation emails are distributed from addresses that appear genuine and reference urgent company matters requiring immediate response.
When users follow the embedded links, they are redirected to a website that not only visually mimics the Zoom meeting environment but also includes convincing behavioral cues, such as a list of “attendees” or looping video feeds, to enhance credibility.
Once the victim enters their details on the fraudulent page, the credentials are quickly exfiltrated to remote servers controlled by the attackers.
Notably, evidence indicates that some harvested credentials are transmitted directly via the Telegram messaging API, demonstrating the attackers’ use of modern, decentralized communication channels to evade traditional security monitoring.
Technical Details and Impact
According to the Report, This phishing operation is notable for its attention to detail and the use of psychological manipulation.
By creating a sense of urgency and leveraging trusted communication channels, the attackers increase the likelihood of success.
Organizations are urged to remain vigilant, especially as remote collaboration platforms like Zoom remain integral to daily workflows.
Security experts advise users to exercise extreme caution with unexpected or urgent meeting invitations, especially those that request credential input outside of official Zoom or company single sign-on (SSO) flows.
Verifying meeting details with the purported sender through a separate, trusted communication channel is strongly recommended.
IT departments should remind employees never to reuse passwords across platforms and to enable multi-factor authentication (MFA) wherever possible.
Organizations are encouraged to update their security awareness training to include this emerging threat, as well as to monitor network traffic for connections to known malicious indicators of compromise (IOCs) associated with this campaign.
As phishing techniques become more advanced, proactive communication, employee vigilance, and robust technical safeguards remain the best defense.
Organizations should promptly block the listed IOCs and update their incident response protocols accordingly.
Indicators of Compromise (IOCs)
| IOC Type | Value |
|---|---|
| Phishing URL | hxxps://tracking[.]cirrusinsight[.]com/e39ee0e9-c6e2-4294-8151-db8d9e454e24/one-ebext-in-openurl#targetid=john[.]doe@company[.]com |
| Phishing URL | hxxps://pub-51656ae3d0ef4f2ba59cdfc6830c8098[.]r2[.]dev/meeting[.]htm?utm_campaign=8634688-zm-30000&utm_source=ppc#targetid=john[.]doe@company[.]com |
| Exfiltration | hxxps://api[.]telegram[.]org/bot7643846141:AAH3xkttszS0hQgqj7PaS_f7XetLz-_DTQc/sendMessage |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
