New Wave of Attack Campaign Targeting Zimbra Email Users for Credential Theft
Aug 18, 2023
Email Seucrity / Cyber Attack
A new "mass-spreading" social engineering campaign is targeting users of the Zimbra Collaboration email server with an aim to collect their login credentials for use in follow-on operations. The activity, active since April 2023 and still ongoing, targets a wide range of small and medium businesses and governmental entities, most of which are located in Poland, Ecuador, Mexico, Italy, and Russia. It has not been attributed to any known threat actor or group. "Initially, the target receives an email with a phishing page in the attached HTML file," ESET researcher Viktor Å perka said in a report. "The email warns the target about an email server update, account deactivation, or similar issue and directs the user to click on the attached file." The messages also spoof the from address to appear as if they are coming from a Zimbra administrator in a likely attempt to convince the recipients into opening the attachment. The HTML file contains a Zimbra lo