Phishing campaign mimics HR Zoom invites to steal Gmail credentials

Attackers are abusing Zoom’s trusted notifications to lure users into credential phishing traps masked as HR document requests.

What happened

According to Cyber Press, a new phishing campaign has emerged that uses legitimate-looking Zoom email notifications to impersonate HR departments and trick job seekers into revealing their Gmail login credentials. The emails appear to come from no-reply-docs@zoom.us and include valid SPF, DKIM, and DMARC headers, making them difficult to distinguish from genuine messages.

The attack invites recipients to view a document labeled “VIEW DOCUMENTS” via a Zoom Docs interface. However, the link redirects to a non-Zoom domain, where victims are guided through a fake bot verification process before landing on a Gmail-themed phishing page.

Going deeper

Once redirected to the malicious site (overflow.qyrix.com.de), users are met with a press-and-hold button that mimics bot protection. This mechanism is designed to evade automated security scans and establish credibility with human users. After completing the interaction, victims are sent to a spoofed Gmail login page where entered credentials are siphoned in real time via a WebSocket connection.

This live credential validation technique allows attackers to immediately test stolen usernames and passwords, prioritizing successful logins and discarding invalid ones.

What was said

Security researchers outlined several technical red flags in the phishing flow:

• Zoom-branded links pointing to unrelated domains
• A pre-login gate is not found in any real Gmail login process
• Presence of live WebSocket (ws:// or wss://) connections used for real-time data exfiltration

To mitigate risk, users are urged to enable two-factor authentication, inspect sender domains carefully, and avoid entering credentials on login screens hosted outside official provider domains. Analysts and IT teams are advised to block known malicious domains and conduct ongoing email header analysis for threat detection.

The big picture

The Zoom-themed phishing campaign shows how easily attackers can exploit trusted platforms to steal credentials. Emails appear legitimate, pass all authentication checks, and even mimic HR communication styles, making them believable at a glance. A fake bot verification step adds another layer of deception, convincing users they’re interacting with a secure site while their Gmail credentials are stolen in real time.

Paubox recommends Inbound Email Security as a safeguard against attacks like this. Its generative AI reviews message tone, context, and behavior to identify communication that doesn’t match legitimate organizational patterns. That intent-based detection helps catch phishing emails using real brand domains or verified headers before they reach the inbox.

FAQs

How can I tell if a Zoom email is fake?

Check the link destination before clicking. Even if the sender address looks legitimate, a real Zoom Docs invite will never redirect to an unrelated domain like “qyrix.com.de.”

What does a WebSocket connection do in phishing?

It enables real-time transmission of your entered credentials to the attacker, allowing them to immediately test and use your login information.

Why does the phishing page include a bot verification gate?

It’s designed to fool users into trusting the page and to prevent automated security systems from detecting and analyzing the phishing site.

Is SPF, DKIM, and DMARC validation enough to trust an email?

No. While these validations confirm the message wasn’t tampered with in transit, attackers can still exploit legitimate services to send deceptive messages.

What should SOC teams monitor to catch similar phishing attacks?

Look for unusual domains in Zoom communications, unexpected WebSocket traffic from browsers, and pre-login gates not associated with standard authentication flows.