Researchers have uncovered an active campaign exploiting a zero-day vulnerability in the Zimbra email platform.
Zimbra is an email platform available under an open source license. According to the developer, the platform supports hundreds of millions of mailboxes located in 140 countries.
On February 3, cybersecurity researchers from Volexity, Steven Adair and Thomas Lancaster, said the system is being exploited by a threat group tracked as TEMP_Heretic in a series of spear phishing email attacks.
In a security advisory, Volexity said the campaign, dubbed “Operation EmailThief,” was first discovered in December 2021 and is likely the work of Chinese cybercriminals.
According to the team, TEMP_Heretic is careful in its selection of potential victims. The threat actor will first perform reconnaissance and will use tracker-embedded emails to see if an address was valid and if a target would even open emails in the first place — and if so, the second stage of the attack chain triggers.
In total, 74 unique Microsoft Outlook email addresses have been used to send the preliminary emails, which contain generic images and subjects including invitations, alerts, and airline ticket refunds.
TEMP_Heretic will then send tailored phishing emails containing a malicious link. The more targeted themes of