When Zoom Phishes You: Unmasking a Novel TOAD Attack Hidden in Legitimate Infrastructure
Summary:
A novel phishing technique has been identified that leverages the legitimate infrastructure of Zoom to deliver Telephone-Oriented Attack Delivery (TOAD) payloads. In this campaign, threat actors exploit the "Display Name" field during the Zoom account registration process. By inputting a fraudulent message, such as a fake PayPal debit notification, into the name field and triggering a legitimate One-Time Password (OTP) or verification email, attackers ensure the message is delivered from a trusted zoom.us domain. Because the email originates from official Zoom servers, it successfully passes standard authentication checks like SPF, DKIM, and DMARC. The ultimate goal is social engineering; the email contains no malicious links but instead pressures the recipient to call a fraudulent support number to "cancel" a high-value pending transaction.
Security Officer Comments:
This campaign represents a sophisticated "Living off the Land" (LotL) approach to phishing that specifically targets the "halo effect" of trusted enterprise brands. For organizations, this is particularly concerning because many of our organizations have white-listed or "soft-passed" major SaaS providers like Zoom and PayPal within their Secure Email Gateways (SEGs).
The impact of the technique is twofold: first, it bypasses the automated technical controls that our security teams rely on to filter the thousands of daily phishing attempts. Second, it places an immense burden on the end-user. Even a security-conscious employee who checks the sender's address will see a legitimate Zoom domain, likely leading them to trust the content. For organizations, a successful TOAD attack can lead to secondary compromises, such as credential harvesting over the phone or the installation of remote access trojans (RATs) under the guise of "technical support." This shift from link-based phishing to voice-based social engineering requires a pivot in how we train our workforce to recognize "legitimate but malicious" communications.
Suggested Corrections:
To defend against this evolving threat, organizations should move beyond simple domain reputation and implement content-aware security measures. We recommend the following actions:
Link(s):
https://www.prophetsecurity.ai/blog...ad-attack-hidden-in-legitimate-infrastructure
A novel phishing technique has been identified that leverages the legitimate infrastructure of Zoom to deliver Telephone-Oriented Attack Delivery (TOAD) payloads. In this campaign, threat actors exploit the "Display Name" field during the Zoom account registration process. By inputting a fraudulent message, such as a fake PayPal debit notification, into the name field and triggering a legitimate One-Time Password (OTP) or verification email, attackers ensure the message is delivered from a trusted zoom.us domain. Because the email originates from official Zoom servers, it successfully passes standard authentication checks like SPF, DKIM, and DMARC. The ultimate goal is social engineering; the email contains no malicious links but instead pressures the recipient to call a fraudulent support number to "cancel" a high-value pending transaction.
Security Officer Comments:
This campaign represents a sophisticated "Living off the Land" (LotL) approach to phishing that specifically targets the "halo effect" of trusted enterprise brands. For organizations, this is particularly concerning because many of our organizations have white-listed or "soft-passed" major SaaS providers like Zoom and PayPal within their Secure Email Gateways (SEGs).
The impact of the technique is twofold: first, it bypasses the automated technical controls that our security teams rely on to filter the thousands of daily phishing attempts. Second, it places an immense burden on the end-user. Even a security-conscious employee who checks the sender's address will see a legitimate Zoom domain, likely leading them to trust the content. For organizations, a successful TOAD attack can lead to secondary compromises, such as credential harvesting over the phone or the installation of remote access trojans (RATs) under the guise of "technical support." This shift from link-based phishing to voice-based social engineering requires a pivot in how we train our workforce to recognize "legitimate but malicious" communications.
Suggested Corrections:
To defend against this evolving threat, organizations should move beyond simple domain reputation and implement content-aware security measures. We recommend the following actions:
- Implement Contextual Analysis: Shift toward security solutions that utilize Natural Language Processing (NLP) or AI-driven analysis to detect "intent-sender mismatches"—for example, flagging an email that originates from Zoom but discusses PayPal financial transactions.
- Enhance User Awareness Training: Update phishing simulation and training modules to include TOAD attacks. Employees should be taught that a "Verified" sender does not equate to "Verified" content and should be wary of any unsolicited email requesting a phone call for financial matters.
- Refine Email Gateway Policies: While you cannot block Zoom, you can configure SEGs to flag or quarantine emails from high-reputation domains that contain specific high-risk keywords (e.g., "PayPal," "debit," "invoice") in the display name or body if they originate from an unexpected source.
- Establish Out-of-Band Verification: Reinforce internal policies that require employees to use official, bookmarked corporate portals or known-good contact numbers to verify transaction alerts, rather than calling numbers provided in an email.
Link(s):
https://www.prophetsecurity.ai/blog...ad-attack-hidden-in-legitimate-infrastructure