Parse this phishing .eml?

[stevenkan]

Hmmm. I received this obvious phishing attempt, except:

1. I can't figure out how it intends to work:
   1. Reply replies to no-reply@zoom.us, which is correct, and causes no harm.
   2. The "let us know here" link goes to:

      1. https://us05web.zoom.us/terminate_unusual_login_help?code=LVHLMZrcW9kV6EPZdWaNJ7vbUN9owK15-JOf5gXUWFc.AG.au2hq24bqTxyUO1hHvfDRuWcX4QQoL7JD6g0FJi4aM-mX1BJ6Bf0RmlmTvoJmEeL29-MH_z-CFTvOrCj6Sky_9p6TskLkVqo5kRfxn6F-ujAJtoxGIEW0As5XcTeLp1fM1eYY98w4atsPn69VAYlUhqeAnV05Bkd6YWcPiNI-Ft8EUE0NSnusN_AADggL2HR_BMgIyRpLjcEhdRNIGfd6ILKpvcabcF0HJ8Wnm8jzfb1xBJoXLWLb8cWiMZUjVbqZPORPb5Rr3HoiGl1IiipcgedJNCh8mK6T2qpwxNHNVSHuGkNf4uYoGpiFMo.JW-VSAXacO2XobwzGhouRg.hNtsFqhu6SJ0xImS

      2. which starts with https://us05web.zoom.us, which itself is valid and causes no harm.
2. It's crafted to look (mostly) legitimate, which is the scary part. I tell my users to watch for:
   1. The "from" address.
      1. Yes, this is trivially spoofed, but most phishing attempts don't even bother, so it's an easy first test.
   2. The "to" address.
      1. This is the one clear red flag that stands out, other than the content of the email
   3. URLs that go to some random, obviously fraudulent domain.
      1. The link starts with starts with https://us05web.zoom.us, which is valid if I copy/paste just that part into a browser.
      2. Does the "?code=LVHLMZrcW9. . . . " have any malicious possibilities? The "?" means its processed on the server side, correct? Which means that any malicious behavior would have to involve a vulnerability on zoom.us, correct?

Or is there any attack vector that I'm not seeing here?

Full .eml is here, if anyone dares. But it's just plain text, and contains no scripts:

https://www.kan.org/download/Code f... <no-reply@zoom.us> - 2026-01-26 0653.eml.txt

Mods: please relocate if OT, but I didn't know a better place to put this, as it's neither Microsoft nor Network nor Battlefront nor ????

 

[rain shadow]

could be

• misconfigured email server sent a legit email to the wrong person
• bug at zoom where they send the OTP to the wrong person sometimes
• vladimir's account was forwarded to you for some reason or other
• someone figured out how to parse and create a malicious code= part in the URL
• you got bcc'd in the early stages of someone playing around with how to steal OTP

i suspect one of the first three
compare to a known legit OTP from zoom maybe there is more going on
is vladimir a real email you can verify with an admin

EDIT:
HOLD UP. I can't believe I missed the bit that was partially hidden under the pop up menu. That is the attack vector. How it reached you and zoom's participation in relaying it may still be of interest, but the attack itself is social engineering.

 

[andrewme]

There is nothing technical happening here. Somebody took the body of a legitimate Zoom OTP email and added “Hi Dear Customer … If you need help, Call <not Zoom’s real phone number>”. If you call that number you will be talking to the scammers who will probably try to get credit card or banking info from you to “try to help reverse the erroneous charge” or some similar story. Nothing will happen if you click the links or reply.

The only interesting question is how SPF didn’t drop this on the floor.

Elsewhere: https://www.billhartzer.com/marketing-foo/zoom-phishing-email-paypal-scam/

 

[stevenkan]

HOLD UP. I can't believe I missed the bit that was partially hidden under the pop up menu. That is the attack vector. How it reached you and zoom's participation in relaying it may still be of interest, but the attack itself is social engineering.

Ah, so it's just a phone number. Everything else was benign. Thanks!