This week, we uncovered an attack that uses a Zoom notification.  We saw this across multiple organizations and in multiple weeks. 

It works like this:

The subject of the email reads: You have a VM-Alert

The body links to a page that says it will allow you to respond to a Zoom request, but is actually a malicious link.  Some emails even had a Zoom logo. The Zoom meeting ID is static and doesn't go anywhere.

Here's what it looks like:



Sign Up For Attack Alerts