Embedded Threats: How Attackers Weaponize Legitimate Emails
Threat actors are weaponizing legitimate online services, such as Zoom, by embedding malicious links and phone numbers into arbitrary text fields like usernames and meeting descriptions. By triggering automated emails from these services and forwarding them to victims, attackers successfully bypass traditional email security protocols (SPF, DKIM, DMARC) and Secure Email Gateways.
Authors:
- domainarnilserver[.]comDomain associated with the attacker-controlled email address used in the PayPal phone scam campaign.
- domainjessemercado[.]meDomain associated with the attacker-controlled email address used in the ConnectWise RAT campaign.
- emailmichele[@]arnilserver[.]comAttacker-controlled email address used to receive the weaponized Zoom host key email (PayPal phone scam) before forwarding it to victims.
- emailsupport9549[@]jessemercado[.]meAttacker-controlled email address used to receive the weaponized Zoom meeting invitation (ConnectWise RAT delivery) before forwarding it to victims.
Detection / HunterGoogle
What Happened
Cybercriminals are using legitimate services like Zoom to send scam emails that look completely real. They do this by putting fake messages, bad links, or scam phone numbers into text fields like their 'username' or 'meeting description'. Because the email actually comes from Zoom's real servers, it easily slips past standard email security filters. This makes it very hard for automated systems to block, so people need to be extra careful and think twice before clicking links or calling numbers in unexpected automated emails. Organizations should train their staff to spot these hidden tricks.
Key Takeaways
- Threat actors are abusing arbitrary text fields (like usernames and meeting descriptions) in legitimate online services to embed malicious content.
- Because the emails originate from legitimate service infrastructure (e.g., Zoom), they successfully bypass traditional email authentication (SPF, DKIM, DMARC) and many Secure Email Gateways (SEGs).
- Attackers register accounts, input malicious payloads, trigger an automated email to themselves, and then forward that legitimate email to victims.
- Observed campaigns include PayPal phone scams embedded in Zoom host key emails and the delivery of ConnectWise RAT disguised as Social Security Administration alerts.
Affected Systems
- Email clients
- Secure Email Gateways (SEGs)
- End users
Attack Chain
The threat actor registers an account on a legitimate service like Zoom and inputs a malicious payload (e.g., a scam message or malicious link) into an arbitrary text field such as a username or meeting description. The actor then triggers the service to send an automated email containing this text to their own email address. Finally, the attacker forwards this legitimate, authenticated email to the intended victim, bypassing email security gateways and delivering the embedded threat.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, noting that traditional email security headers and SEGs struggle to detect this TTP.
Detection Engineering Assessment
EDR Visibility: Low — This is an email-based attack; EDR will only have visibility if the user clicks the embedded link and downloads the secondary payload (e.g., ConnectWise RAT). Network Visibility: Medium — Network logs might capture the click-through to the malicious URL hosted in the meeting description, but the initial email delivery occurs over standard encrypted mail protocols. Detection Difficulty: Hard — The emails originate from legitimate services like Zoom and pass SPF/DKIM/DMARC, making them difficult to distinguish from benign traffic without causing high false positives.
Required Log Sources
- Email Gateway Logs
- Web Proxy Logs
- DNS Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for emails originating from legitimate services (e.g., Zoom, Webex) that contain suspicious keywords (e.g., 'invoice', 'PayPal', 'urgent verification') in the display name or meeting description fields. | Email Gateway Logs | Delivery | High |
| Evaluate whether forwarded emails from legitimate services contain mismatched context, such as a Zoom invite claiming to be from the Social Security Administration. | Email Gateway Logs | Delivery | Medium |
Control Gaps
- Secure Email Gateways (SEGs)
- Email Authentication (SPF/DKIM/DMARC)
Key Behavioral Indicators
- Legitimate service emails (e.g., [email protected]) forwarded from unknown or suspicious third-party domains
- Unusually long or formatted usernames in automated emails containing phone numbers or URLs
False Positive Assessment
- High, as filtering based on legitimate service sender addresses or generic keywords in meeting invites will likely flag benign business communications.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider searching email logs for the identified attacker-controlled domains (arnilserver.com, jessemercado.me) to identify potential exposure.
Infrastructure Hardening
- Evaluate whether email filtering rules can be tuned to flag suspicious keywords within automated emails from known legitimate services, if supported by your SEG.
User Protection
- If applicable, ensure endpoint protections are configured to detect and block unauthorized remote access tools like ConnectWise RAT.
Security Awareness
- Consider updating security awareness training to educate users on how attackers can embed malicious links and phone numbers within legitimate automated emails.
- Instruct users to verify unexpected or urgent requests, even if they appear to come from trusted services like Zoom.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1585.002 - Establish Accounts: Email Accounts
- T1036 - Masquerading
