A sophisticated phishing campaign exploiting the popularity of Zoom meetings has emerged, targeting corporate users with fake meeting invitations that appear to come from colleagues.
The attack uses social engineering tactics to create a sense of urgency, prompting victims to click on malicious links embedded in seemingly legitimate emails.
Once clicked, these links direct users through a deceptive sequence designed to harvest Zoom login credentials.
The phishing emails are crafted to resemble official Zoom meeting notifications, complete with familiar branding, formatting, and language that suggests an immediate response is required.
The messages typically contain urgent subject lines like “Missed Zoom Call” or “Urgent Meeting Request” to elicit quick, unthinking responses from busy professionals juggling multiple communications throughout their workday.
Upon clicking the embedded link, victims are redirected to a convincing replica of a Zoom meeting interface that displays what appears to be colleagues waiting in a video conference.
This creates the illusion of a legitimate meeting in progress, adding psychological pressure to join quickly.
SpiderLabs researchers identified this campaign on May 19, 2025, noting its particular effectiveness due to the implementation of pre-recorded video elements that simulate an actual meeting environment.
“This attack represents an evolution in phishing techniques, using dynamic visual elements to overcome user skepticism,” the security team reported in their initial advisory.
The attack flow follows a meticulously designed five-stage process. After receiving the phishing email, victims who click the malicious link are presented with a loading screen that mimics Zoom’s interface.
The page then transitions to display a pre-recorded video of “participants” in a meeting, creating a convincing illusion of a live conference call.
Shortly thereafter, users receive a fake disconnection notification, followed by a fraudulent login prompt designed to capture credentials.
The attack infrastructure utilizes multiple domains, with initial tracking through cirrusinsight.com subdomains and meeting pages hosted on r2.dev services.
Analysis of network traffic reveals stolen credentials are transmitted via Telegram API endpoints, allowing attackers to collect victim information in real-time while maintaining operational security through common communication channels that often bypass security controls.
Powered by
