On May 11, 2021, Zix was alerted to a phishing campaign, purported to originate from Zix, as reported in a vendor blog post. This phishing campaign did not originate from Zix or its link protection service.
Our security team immediately began an investigation based upon the information presented. Based upon our analysis, the phishing campaign originated from a compromised Microsoft 365 account belonging to Authentic Title, LLC, who is not a Zix customer. This means the compromised account was manipulated to send several thousand emails targeting various domains. Only a small subset of the phishing messages were sent to Zix customers from the compromised account.
We are continuing to analyze this phishing campaign, just as we routinely monitor thousands of campaigns daily. Our threat intelligence evolves in real time as the threat landscape changes.
For more information on how these types of account compromises work, check out Malicious Office 365 Apps Are the Ultimate Insiders by Brian Krebs.
Recommendations for Zix | AppRiver Customers
Customers can protect themselves against the threat activity described above by ensuring that multi-factor authentication (2FA) is enforced within Microsoft 365, limiting the 2FA to an authenticator app with SMS text as a backup.
Review your application grants, as described in the Brian Krebs article. This Microsoft document describes how to check your Microsoft 365 grants.
We will provide an update as new information becomes available.
Contact us if you’d like a security review of your Microsoft 365: https://zix.com/audit.