October 2, 2023

Researchers have come up with a warning about a mass phishing campaign actively targeting Zimbra account user credentials.

The ongoing campaign is targeting a variety of small and medium businesses and governmental entities in Europe and Latin American countries.

Though it’s not technically sophisticated, it can still spread and compromise organizations that use Zimbra Collaboration suite.


The campaign spreads with a phishing page in an attached HTML file. The emails warn the potential victim about an email server update, account deactivation, or similar issue and direct the user to click on the attached file.

The user is taken to a fake Zimbra login page customized according to the targeted organization once after clicking the attachment. The fake login page harvests submitted credentials entered by a victim who had been tricked to this point, sending them back to a service controlled by the attacks.

With those credentials, the attackers then infiltrate the affected account. In the cases where they have compromised an administrator account, they create new mailboxes that are used to send new phishing emails to other targets.

If multifactor authentication on all Zimbra users and admins are enabled, then chances of account takeover are minimized.

Leave a Reply

%d bloggers like this: