Embedded Threats: How Attackers Weaponize Legitimate Emails

This Cofense Intelligence report details a tactic in which attackers register accounts or use arbitrary text fields (usernames, meeting descriptions, file names, custom images) on legitimate services—highlighting Zoom—to embed malicious links or phone scams into emails that are then forwarded to victims. Because the emails originate from legitimate services, they preserve valid From addresses and pass DKIM/DMARC/SPF checks, making detection difficult; examples include meeting invites and account-change notifications used to deliver ConnectWise RAT. The report explains the attack flow, common abused services and fields, and recommends contextual threat intelligence and user awareness training as primary mitigations.