Phishing Campaign Targets Global Zimbra Collaboration Email Servers

Estimated read time 2 min read

Widespread attempts to steal login credentials from organizations, leaving cybersecurity professionals on high alert.

Attack on Zimbra Collaboration email servers

An ongoing phishing campaign has been detected, aiming to steal login credentials from Zimbra Collaboration email servers utilized by organizations worldwide. The phishing attempts began surfacing in April, and the identity of the perpetrators remains concealed.

Zimbra Phishing page found by ESET
Zimbra Phishing page found by ESET

Details of the Campaign:

  • Geographical Scope: The phishing emails have targeted organizations primarily in Latin America, Russia, Europe, and Asia. According to Bleepingcomputer, referencing a report from cybersecurity firm ESET, there doesn’t seem to be a specific focus on any particular sector or type of organization.
  • Deceptive Emails: The initial point of contact is a phishing email that masquerades as an official communication from the recipient’s organization. This email urges the user to open an HTML file, which supposedly provides information about a server upgrade and warns about impending account deactivation if not acted upon.
  • Impersonation Tactics: Upon opening the HTML file, users are presented with a convincingly fake Zimbra login screen, complete with the logo and the name of the targeted organization. Notably, the username field is pre-filled, requiring the user only to input their password. Once entered, the password is sent to the malicious actor through an HTTPS POST request.
  • ESET’s Insights: ESET described the scale of the campaign’s reach and the number of successful phishing attempts as “impressive”. They have also issued a warning to Zimbra users to remain cautious. It’s worth noting that Zimbra has become an increasingly popular target for cyber adversaries.


  • Heightened Risks: This campaign showcases the evolving sophistication of phishing techniques. The use of organization-specific branding in the phishing pages and pre-filled usernames are tactics to increase the likelihood of victims entering their passwords.
  • Role of Zimbra: As Zimbra Collaboration email servers continue to gain traction, they are simultaneously drawing the attention of cyber attackers. Organizations using this platform must be increasingly vigilant and proactive in their cybersecurity measures.
Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author