In a recent investigation, our team uncovered and successfully replicated a sophisticated phishing technique that leverages Zoom’s own infrastructure to send seemingly legitimate emails from [email protected]. This method abuses Zoom’s “Notes” feature and Gmail’s auto-forwarding functionality to bypass sender limits and email security controls. Here’s how it works, why it’s effective, and how to defend against it.

The Exploit in Action

Step-by-Step Breakdown:

1. Zoom Notes Abuse: An attacker creates or compromises a Zoom account (free or paid). They create a new Zoom Note with scam content (e.g., fake payment confirmation, invoice details, or tech support callback numbers). The note is shared via Zoom’s built-in “Share via Email” feature to an external Gmail address.
2. Legitimate Zoom Infrastructure Used: The resulting email is sent directly from [email protected] via SendGrid. SPF, DKIM, and DMARC all pass, as it originates from Zoom’s authenticated platform.
3. Bypassing Limits with Gmail Forwarding: The Gmail account (e.g., [email protected]) is configured to auto-forward emails to many recipients. This bypasses Zoom’s daily send limits for external recipients. The forwarded email preserves original headers, making it appear as though Zoom sent the email directly to the target.

How I Investigated and Replicated It

After receiving a suspicious email appearing to come from [email protected], I began the investigation by inspecting the full message headers. Here’s what we found:

• SPF, DKIM, and DMARC all passed, confirming the message originated from Zoom’s legitimate infrastructure.
• The original recipient was [email protected], not an internal corporate address.
• The message was forwarded through Gmail, as evidenced by the presence of unverified-forwarding.1e100.net in the header chain.
• The final recipient was our internal user, showing the forwarded message retained its original headers and authenticated sender.

To replicate the attack, I:

1. Created a Zoom Basic account.
2. Composed a Zoom Note with scam-style language (e.g., fake payment and invoice confirmation).
3. Used Zoom’s “Share via Email” feature to send it to a test Gmail account.

4. Configured Gmail to automatically forward the message to a corporate inbox.

The email arrived:

• Appearing 100% legitimate, from [email protected]
• With the scam message intact
• Without any visual indicators of forwarding

This confirmed the viability of the attack path and exposed a loophole in how trusted platform messages are handled when forwarded.

Why This Works

• Authentic Appearance: Emails are truly sent by Zoom’s infrastructure.
• Header Integrity: Forwarding via Gmail retains SPF/DKIM/DMARC validation.
• Trusted Sender Domain: zoom.us is rarely blocked by filters.
• Low Detection Rate: No obvious malicious links or attachments. Many are phone-number-based support scams.
• Low Detection Rate: No obvious malicious links or attachments. Many are phone-number-based support scams.

Real-World Example

From: Zoom Team <[email protected]>

Subject: Thank You — Your Payment Has Been Processed

Body:

"Thank you for your Zoom Webinar 500 Plan payment of $298.75.
Invoice number: E50622.
The transaction was completed using PayPal.
If this wasn't you, call +1 (831) 210–2680 for support."

Key Observations:

• Email came from [email protected]
• Was initially sent to [email protected]
• Auto-forwarded from Gmail to the target
• Retained full authentication and branding
• The phone number +1 (831) 210–2680 is NOT Zoom’s support number.

Mitigation Strategies

1. Mail Flow Rules

• You may be able to configure email transport rules to alert or block emails such as this

2. User Awareness — Train users to:

• Verify the sender domain matches the message content
• Never call support numbers from unsolicited emails
• Forward suspicious messages to your SOC or security team

3. Report Abuse

• Zoom Security: [email protected]
• Gmail Abuse: https://abuse.google.com/
• Domain hosting for receiptdone.com

Final Thoughts

In this case, the goal of the message wasn’t to deliver malware or capture credentials through a phishing link. Instead, the attackers used a legitimate-looking email to prompt the recipient to call a phone number. This is a classic callback phishing technique, where the scam continues over the phone — often resulting in social engineering, remote access scams, or fraudulent payments.

This phishing technique is a powerful example of how trusted platforms can be repurposed into delivery mechanisms for scams. Because the message is technically legitimate and properly authenticated, it bypasses many traditional security filters.

Organizations must combine strong content filtering, behavior-based detection, and user education to stay protected against these kinds of threats.

Would you have spotted this scam if it landed in your inbox?

Written by Chase Kester