New Wave of Attack Campaign Targeting Zimbra Email Users for Credential Theft

Cyber Security Threat Summary:
“A new "mass-spreading" social engineering campaign is targeting users of the Zimbra Collaboration email server with an aim to collect their login credentials for use in follow-on operations. The activity, active since April 2023 and still ongoing, targets a wide range of small and medium businesses and governmental entities, most of which are located in Poland, Ecuador, Mexico, Italy, and Russia. It has not been attributed to any known threat actor or group. ‘Initially, the target receives an email with a phishing page in the attached HTML file,’ ESET researcher Viktor Šperka said in a report…’The email warns the target about an email server update, account deactivation, or similar issue and directs the user to click on the attached file.’ The HTML file contains a Zimbra login page tailored to the targeted organization, with the Username field prefilled with the victim's email address to make it seem more authentic. Once the credentials are entered, they are collected from the HTML form and sent via a HTTPS POST request to an actor-controlled server” (The Hacker News, 2023).

Security Officer Comments:
To trick recipients into opening the attachment, the emails spoof the sender’s address, making it seems like the message is coming from a Zimbra administrator. In some cases, the actors have also leveraged the Zimbra accounts of previously targeted, legitimate companies to send emails to other victims, suggesting that the attackers were able to compromise administrator accounts and create new mailboxes to send phishing emails to other targets.

According to researchers, the HTML attachments leveraged in the latest campaign for the most part contain legitimate code, besides the one element pointing to the malicious phishing page. This is most likely a tactic employed by the actors to bypass antispam policies and evade email security defenses. Notably, the HTML file is also opened on the victim’s browser, making it seem like they are being directed to the legitimate Zimbra login page, despite the fact that the URL points to a local file path.

Suggested Correction(s):

  • Do not open emails or download software from untrusted sources
  • Do not click on links or attachments in emails that come from unknown senders
  • Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
  • Always verify the email sender's email address, name, and domain
  • Backup important files frequently and store them separately from the main system
  • Protect devices using antivirus, anti-spam and anti-spyware software
  • Report phishing emails to the appropriate security or I.T. staff immediately