Risky Bulletin — Sponsored: Sublime Security on Zoom Attacks

Host: Catalina Campano (Risky Business Media)
Guest: Alex Orleans, Head of Threat Intelligence, Sublime Security
Date: March 15, 2026

Episode Overview

This episode dives deep into the surge of Zoom-themed email attacks observed by Sublime Security, with a particular focus on recent attacker innovations, the techniques used to exploit trust in video conferencing, and how defenders (especially email security companies) are adapting. Alex Orleans shares frontline insights into evolving threat vectors—from credential harvesting to the deployment of malware via booby-trapped installers—as well as the increased sophistication offered by attacker use of artificial intelligence.

Key Discussion Points & Insights

1. Current Trends in Abuse of Zoom for Attacks

Timestamp: 00:13 – 01:51

• Attackers are leveraging Zoom in three primary ways:

  • Luring to Real Zoom Meetings: Victims are duped into legitimate meetings for real-time social engineering.
  • Deploying Booby-Trapped Zoom Clients: Targets are convinced to install malicious (fake or repackaged) Zoom software.
  • Credential Harvesting via Fake Updaters: Emails direct users to fake landing pages mimicking Zoom updates/installers.
  • Quote [Alex Orleans, 00:44]:

    "There's social engineering, there's the credential harvesting and there's the malware. But the one... where we're seeing more innovation... is on the malware delivery side..."

• Increasing use of Remote Monitoring and Management tools (RMMs) like ScreenConnect and AnyDesk as malicious payloads, exploiting their legitimate appearance.

2. Why Are These Attacks Spiking?

Timestamp: 01:51 – 03:24

• Factors contributing to increased attack efficacy:
  • Zoom Fatigue: Employees are inundated with meeting invites, leading to lapses in scrutiny.
  • Abuse of Calendar Invites: Some phishing attempts bypass email and go straight to calendars (ICS phishing).
  • Attack Evasion Tactics: RMMs and similar tools are less likely to trigger traditional defensive alerts.
  • Quote [Alex Orleans, 02:01]:

    "You have a higher chance of evading detection, higher chance of evading both email screening as well as EDR..."

3. Exploiting Trust and Social Engineering

Timestamp: 03:24 – 05:58

• Attacks often impersonate trusted contacts ("Dave from accounting") or vendors.
• The ruse can include impersonated voices or figures in fake conferences, tailored to the victim—sometimes enhanced by AI to synthesize voices or convincingly mimic teams.
• AI-Driven Personalization: Attackers scrape social media and other open sources, customizing phishing lures for maximum credibility.
  • Quote [Alex Orleans, 04:18]:

    "...how they're using AI to accelerate attack lifecycle. So you can use AI now to rapidly increase the kind of research you do on a target before engaging in a spear phishing operation..."

4. Defensive Strategies and Detection at Sublime Security

Timestamp: 05:58 – 09:29

• Multi-layered Detection: Uses both static and behavioral rules, alongside their AI analyst (ASA).

• Analyzing URLs and Sender Details:

  • Flags emails where links purport to be Zoom/Google Meet but route to unrelated domains.
  • Examines sender reputation (free email services vs. corporate addresses).
  • Looks for familiar language patterns and signals of brand impersonation.

• Executive Summaries: ASA provides plain-English explanations on detections, aiding user and analyst understanding.

  • Quote [Alex Orleans, 06:21]:

    "...an AI written executive summary... talks about both... brand impersonation, here's a deceptive subdomain, and builds out the arguments that you could see in plain English exactly why it was flagged."

• Contextual & Linguistic Analysis: Able to catch later-stage lures (e.g., after multiple back-and-forth emails) and detect attempts to move conversations to other platforms (Telegram, WhatsApp, etc.).

5. Broader Scope: Beyond Zoom

Timestamp: 09:45 – 10:23

• While Zoom and Google Meet are top targets, attackers also mimic WebEx, Microsoft Teams, Slack, and other platforms.
  • Quote [Alex Orleans, 09:55]:

    "...any way of moving the conversation to a different program that you could be tricked into downloading a fake installer for..."

6. Targeted Victim Demographics and Attack Context

Timestamp: 10:23 – 12:50

• Brand Impersonation: Heavily targets professional services, education, nonprofits, and government/public sector organizations.
• Impersonation Types:
  • Employee (Peer-to-Peer): More common in real estate, hospitality, transportation.
  • Executive (Top-Down): Seen in energy, financial services, technology.
• Attackers research who talks to whom in organizations—using open data—to make lures believable.
  • Quote [Alex Orleans, 12:20]:

    "It's all about the actor developing an understanding of who the target regularly communicates with..."

7. Attack Lifecycle and Defender Limitations

Timestamp: 12:50 – 13:44

• Sublime Security’s visibility is focused on the email/inbox stage—prevents attacks before execution but doesn’t track what happens after a payload is installed.
• Collaboration with EDR tools is necessary for full incident resolution.
  • Quote [Alex Orleans, 13:06]:

    "...our goal is providing kind of left of intrusion prevention and left of intrusion visibility..."

8. Attacker Tooling: Automation and Phishing Kits

Timestamp: 13:44 – 14:05

• No dominant phishing kit yet for these attack types, but automation is broadly seen; future toolkits may further commoditize such lures.

Notable Quotes & Memorable Moments

• On AI-Powered Social Engineering
  [04:18 – Alex Orleans]:

  "What you think is a Zoom call might even sound like Marcy and Greg if they've been able to find audio of these individuals, such as on YouTube or social media."

• On Importance of Brand Impersonation
  [10:50 – Alex Orleans]:

  "...things that are directly trying to impersonate Zoom or Google Meets fall broadly under the idea of brand impersonation because they're attempting to impersonate a product that you're familiar with and probably trust."

• On Evolving Detection Techniques
  [08:27 – Catalina Campano]:

  "This would be ideal for targeted attacks, like, let's say, a more advanced Financial Threat act or APT group."

Suggested Listen

For a detailed look at how modern email security vendors adapt to evolving phishing threats leveraging Zoom and similar tools, and to hear more about the interplay between attacker and defender innovation—especially in the era of AI—this episode is a must.

Useful Timestamps

• [00:44] – Methods of Zoom abuse and attacker innovations
• [02:01] – Challenges facing defenders, evasion of detection
• [04:18] – Use of AI and social media scraping for targeted lures
• [06:21] – Inside Sublime’s detection process
• [09:55] – Attackers mimic more than just Zoom
• [10:50] – Who is being targeted, and impersonation patterns
• [13:06] – Limitation of email-based defense; partnership with EDR

For further insights and current cybersecurity threat trends, tune in to Risky Bulletin weekly.