Threat actor steals email with Zimbra zero-day

Threat actor steals email with Zimbra zero-day

Researchershave discovered a threat actor attempting to exploit a cross-site scripting (XSS) zero-day vulnerability in the Zimbra email platform.

Zimbra is open source webmail application used for messaging and collaboration. Cross-site scripting is a type of injectionattackwherein a vulnerability in a web application allows a threatactorto inject malicious code into the site’s content. In this case the target was a Zimbra email opened in a web browser.

Targets and threat actor

The entire campaign was targeted—predominantly at organizations in the European government and media realm. According to Zimbra, there are 200,000 businesses, and over a thousand government and financial institutions, using their software. How many of them fall into the target audience is unknown.

The researchers have dubbed the threat actor “TEMP_Heretic” and based on a number of observed factors they have reason to believe the threat actor is of Chinese origin.

The campaign

This campaign was named EmailThief by the researchers and consisted of two clear components. The first one was a reconnaissance mission to find people that were likely to open the second email. Using this method the attackers could weed out invalid and unresponsive receivers. The reconnaissance emails were sent on 14 December, 2021 and contained no malicious links. This first wave only contained embedded remote images in the body of email messages. These emails contained no content other than the remote image and had generic subjects often associated with non-targeted spam. These emails are unlikely to have attracted any negative attention because remote images are widely used in marketing emails to measure email open rates.

The image URLs were unique to each individual, enabling the threat actor to ascertain the validity of the email addresses, and to determine which accounts were more likely to open phishing email messages.

The second part of the campaign was only sent to the receivers that qualified as likely to open such an email in the first wave. This part of the campaign was done in four waves which were sent out at 16, 23, 24, and 27 of December, 2021. These spear-phishing waves were largely generic and mostly themed around the holiday season, notably purporting to be from various airlines or Amazon.

In these campaigns, the attacker embedded links to attacker-controlled infrastructure. Upon clicking the malicious link, the attacker infrastructure would attempt a redirect to a page on the targeted organization’s Zimbra webmail host. A specifically crafted URL format exploited a zero-day vulnerability, allowing an attacker to load arbitrary JavaScript into the page, in the context of a logged-in Zimbra session.

The overall effect of this attack is that by getting a user to click a link in an email and leave their browser window open for any length of time, the attacker can steal the contents of their mailbox.


Besides the theft of mailbox contents the vulnerability could also have been used to:

  • Exfiltrate cookies, which could allow persistent access to a mailbox
  • Send phishing messages to the user’s contacts
  • Display prompts to download malware from trusted websites

At the time of writing, there is no official patch or workaround for this vulnerability, so it is a zero-day vulnerability. The researchers have notified Zimbra of the exploit and hopefully a patch will be available soon.

Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15 and testing of version 9.0.0 by the researchers indicates it is likely unaffected.

Possible workarounds are:

  • Don’t log into the Zimbra webmail client from a web browser
  • The good old “don’t click on links in emails” advice

Since this campaign seems to have run its course it’s important for possible targets to check whether they have fallen victim to this campaign. In which case email communications may have been intercepted by the threat actor.

The researchers have posted a full list of IOC’s on GitHubfor your perusal.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.