Attackers are abusing Zoom’s trusted notifications to lure users into credential phishing traps masked as HR document requests.
According to Cyber Press, a new phishing campaign has emerged that uses legitimate-looking Zoom email notifications to impersonate HR departments and trick job seekers into revealing their Gmail login credentials. The emails appear to come from no-reply-docs@zoom.us and include valid SPF, DKIM, and DMARC headers, making them difficult to distinguish from genuine messages.
The attack invites recipients to view a document labeled “VIEW DOCUMENTS” via a Zoom Docs interface. However, the link redirects to a non-Zoom domain, where victims are guided through a fake bot verification process before landing on a Gmail-themed phishing page.
Once redirected to the malicious site (overflow.qyrix.com.de), users are met with a press-and-hold button that mimics bot protection. This mechanism is designed to evade automated security scans and establish credibility with human users. After completing the interaction, victims are sent to a spoofed Gmail login page where entered credentials are siphoned in real time via a WebSocket connection.
This live credential validation technique allows attackers to immediately test stolen usernames and passwords, prioritizing successful logins and discarding invalid ones.
Security researchers outlined several technical red flags in the phishing flow:
To mitigate risk, users are urged to enable two-factor authentication, inspect sender domains carefully, and avoid entering credentials on login screens hosted outside official provider domains. Analysts and IT teams are advised to block known malicious domains and conduct ongoing email header analysis for threat detection.
The Zoom-themed phishing campaign shows how easily attackers can exploit trusted platforms to steal credentials. Emails appear legitimate, pass all authentication checks, and even mimic HR communication styles, making them believable at a glance. A fake bot verification step adds another layer of deception, convincing users they’re interacting with a secure site while their Gmail credentials are stolen in real time.
Paubox recommends Inbound Email Security as a safeguard against attacks like this. Its generative AI reviews message tone, context, and behavior to identify communication that doesn’t match legitimate organizational patterns. That intent-based detection helps catch phishing emails using real brand domains or verified headers before they reach the inbox.
Check the link destination before clicking. Even if the sender address looks legitimate, a real Zoom Docs invite will never redirect to an unrelated domain like “qyrix.com.de.”
It enables real-time transmission of your entered credentials to the attacker, allowing them to immediately test and use your login information.
It’s designed to fool users into trusting the page and to prevent automated security systems from detecting and analyzing the phishing site.
No. While these validations confirm the message wasn’t tampered with in transit, attackers can still exploit legitimate services to send deceptive messages.
Look for unusual domains in Zoom communications, unexpected WebSocket traffic from browsers, and pre-login gates not associated with standard authentication flows.