Researchers have uncovered an active hacking campaign exploiting a zero-day vulnerability in the Zimbra email platform. According to Volexity cybersecurity researchers Steven Adair and Thomas Lancaster, a group dubbed TEMP_Heretic exploits the vulnerability to spear phishing email attacks.
In a security advisory, Volexity explained that the campaign, dubbed Operation EmailThief, was first discovered in December 2021 and is likely the work of Chinese hackers. According to the team, TEMP_Heretic takes great care in selecting its potential victims. The threat actor first conducts reconnaissance, using tracker-embedded emails to determine if an address is valid and whether a target would open email at all — and if so, the second stage of the attack chain is triggered.
A total of 74 were uniqueOutlook email addresses used to send initial emails containing generic images and subjects such as invitations, warnings, and airline ticket refunds. TEMP_Heretic then sends customized phishing emails containing a malicious link. The more targeted subjects of subsequent emails related to requests for interviews from news organizations including AFP and BBC, and invitations to charity dinners. Other phishing email samples collected were more general and contained holiday greetings.