Parse this phishing .eml?

Jump to latest Follow Reply
Status
You're currently viewing only stevenkan's posts. Click here to go back to viewing the entire thread.
Muted (0)
stevenkan

stevenkan

Ars Legatus Legionis
16,288
  • #1
    Hmmm. I received this obvious phishing attempt, except:
    1. I can't figure out how it intends to work:
      1. Reply replies to no-reply@zoom.us, which is correct, and causes no harm.
      2. The "let us know here" link goes to:
        1. Code: 
          https://us05web.zoom.us/terminate_unusual_login_help?code=LVHLMZrcW9kV6EPZdWaNJ7vbUN9owK15-JOf5gXUWFc.AG.au2hq24bqTxyUO1hHvfDRuWcX4QQoL7JD6g0FJi4aM-mX1BJ6Bf0RmlmTvoJmEeL29-MH_z-CFTvOrCj6Sky_9p6TskLkVqo5kRfxn6F-ujAJtoxGIEW0As5XcTeLp1fM1eYY98w4atsPn69VAYlUhqeAnV05Bkd6YWcPiNI-Ft8EUE0NSnusN_AADggL2HR_BMgIyRpLjcEhdRNIGfd6ILKpvcabcF0HJ8Wnm8jzfb1xBJoXLWLb8cWiMZUjVbqZPORPb5Rr3HoiGl1IiipcgedJNCh8mK6T2qpwxNHNVSHuGkNf4uYoGpiFMo.JW-VSAXacO2XobwzGhouRg.hNtsFqhu6SJ0xImS
        2. which starts with https://us05web.zoom.us, which itself is valid and causes no harm.
    2. It's crafted to look (mostly) legitimate, which is the scary part. I tell my users to watch for:
      1. The "from" address.
        1. Yes, this is trivially spoofed, but most phishing attempts don't even bother, so it's an easy first test.
      2. The "to" address.
        1. This is the one clear red flag that stands out, other than the content of the email
      3. URLs that go to some random, obviously fraudulent domain.
        1. The link starts with starts with https://us05web.zoom.us, which is valid if I copy/paste just that part into a browser.
        2. Does the "?code=LVHLMZrcW9. . . . " have any malicious possibilities? The "?" means its processed on the server side, correct? Which means that any malicious behavior would have to involve a vulnerability on zoom.us, correct?
    Or is there any attack vector that I'm not seeing here?

    Full .eml is here, if anyone dares. But it's just plain text, and contains no scripts:

    https://www.kan.org/download/Code f... <no-reply@zoom.us> - 2026-01-26 0653.eml.txt

    1769451720666.png


    Mods: please relocate if OT, but I didn't know a better place to put this, as it's neither Microsoft nor Network nor Battlefront nor ????
     
    stevenkan

    stevenkan

    Ars Legatus Legionis
    16,288
  • #4
    rain shadow said:
    HOLD UP. I can't believe I missed the bit that was partially hidden under the pop up menu. That is the attack vector. How it reached you and zoom's participation in relaying it may still be of interest, but the attack itself is social engineering.
    Click to expand...
    Ah, so it's just a phone number. Everything else was benign. Thanks!
     
    You must log in or register to reply here.
    Status
    You're currently viewing only stevenkan's posts. Click here to go back to viewing the entire thread.
    Jump to latest Follow Reply
    Jump to latest Follow Reply