The Zix phishing campaign is being carried out against nearly 75,000 Google Workspace, Office 365, and Exchange mailboxes across a wide range of industries, including state and local, education, financial services, healthcare, and energy sectors.
Phishing is a massive and continuously growing security issue for businesses of all sizes. A single click on the wrong link can be all it takes to compromise the network of an entire organization, often with disastrous consequences, including data breaches, or injections of malware and ransomware on company devices.
The Zix credential phishing campaign, recently observed by researchers at cybersecurity company Armorblox, is another example of new tactics employed by phishers to target businesses. Unknown attackers have so far targeted close to 75,000 company mailboxes across multiple sectors.
Disguised as a secure message
To get employees to open malicious emails, the cybercriminals behind the new phishing campaign disguised their messages as coming from the email encryption provider Zix, a well-known cybersecurity brand.
According to Armorblox, the email sent by the phishers is titled ‘Secure Zix message’. It includes “a header in the email body reiterating the email title, and claims that the victim has received a secure message from Zix.”
Clicking the ‘Message’ link provided in the phishing email would install an HTML file that leads to a malicious website.
While Armorblox found that the phishing emails were potentially delivered to nearly 75,000 mailboxes, the attackers apparently targeted a “select group of employees – usually across departments – [...] within each customer environment.”
“For example, for one of our SLED customers, people targeted by this attack included the CFO, a Director of Operations, a Director of Marketing, and a Professor. For another customer, a wellness company, the target employees included the SVP of Finance and Operations, the President, and a utility email alias ([email protected][.]com),” states the Armorblox report.
Even though it would be exceedingly difficult to deliberately target 75,000 employees, the victims targeted by the attackers appear to be employed in positions of “senior leadership,” as well as individual contributors who would be “unlikely to communicate often with each other when they receive an email that looks suspicious.”
Protecting against the Zix credential phishing attack
For organizations that wish to avoid being targeted by the Zix phishing campaign, Armorblox provides a series of security recommendations.
Because the phishing emails got past the standard security controls used by Office 365, Google Workspace, Exchange, Cisco ESA, and other business email providers, Armorblox recommends augmenting built-in email security with additional layers that “take a materially different approach to threat detection,” and suggests Gartner’s Market Guide for Email Security as a good starting point.
Other recommendations include following best practices against social engineering, using multi-factor authentication, and maintaining good password hygiene:
- When looking at incoming emails, use an eye test that includes inspecting the sender’s name, their email address, language, and any logical inconsistencies.
- Use multi-factor (or at least two-factor) authentication on all corporate and personal online accounts.
- Use strong and complex passwords.
- Don’t reuse the same password on multiple online accounts.
- Use a quality password manager.
More from CyberNews:
Subscribe to our newsletter