Global Phishing Campaign Targets Zimbra Email Servers

August 17, 2023

A phishing campaign has been active since at least April 2023, aiming to hijack accounts from Zimbra Collaboration email servers across the globe. As per the findings of ESET, the campaign indiscriminately targets organizations via phishing emails. The identity of the perpetrator behind this operation remains a mystery.

The phishing attack begins with an email, ostensibly from the organization's admin, warning users of an upcoming email server update that will temporarily deactivate their accounts. Users are directed to open an attached HTML file for more information on the server upgrade and instructions on how to prevent account deactivation.

Upon opening the HTML attachment, a counterfeit Zimbra login page is displayed, complete with the targeted company's logo and branding to appear genuine. The username field in the login form is already filled in, adding to the perceived authenticity of the phishing page. The account passwords entered into the phishing form are then transmitted to the attacker's server via an HTTPS POST request.

In some cases, ESET found that the attackers utilized compromised administrator accounts to establish new mailboxes. These mailboxes are then used to propagate phishing emails to other members of the organization. Despite the relatively simple nature of this campaign, its reach and effectiveness are noteworthy, and Zimbra Collaboration users should be cognizant of the threat.

Zimbra Collaboration email servers are frequently targeted by hackers for cyber espionage purposes, to gather internal communications, or to serve as an initial point of entry for infiltrating the target organization's network. Earlier this year, it was disclosed by Proofpoint that the Russian hacking group 'Winter Vivern' exploited a vulnerability in Zimbra Collaboration (CVE-2022-27926) to gain access to the webmail portals of organizations aligned with NATO, governments, diplomats, and military personnel.

Last year, Volexity reported that a threat actor named 'TEMP_Heretic' exploited a zero-day flaw (CVE-2022-23682) in the Zimbra Collaboration product to access mailboxes and carry out lateral phishing attacks. As ESET concludes, 'The popularity of Zimbra Collaboration among organizations expected to have lower IT budgets ensures that it stays an attractive target for adversaries.'

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.