Phishing alert infographic: Email inbox with fake "HR via Zoom Docs" message highlighted in red, arrow to malicious redirect chain (CAPTCHA gate to Gmail clone), WebSocket data stream stealing credentials; job seeker icon with warning shield, "Verify Befo

A cunning phishing campaign is targeting job seekers with emails posing as "HR Departments via Zoom Docs," using subjects like “HR Departments invited you to view ‘VIEW DOCUMENTS'”. These messages sail through SPF, DKIM, and DMARC checks, appearing fully legit to users and filters. Attackers prey on eager applicants, blending social engineering with trusted platforms to harvest Gmail logins without raising alarms.

Phishing alert infographic: Email inbox with fake "HR via Zoom Docs" message highlighted in red, arrow to malicious redirect chain (CAPTCHA gate to Gmail clone), WebSocket data stream stealing credentials; job seeker icon with warning shield, "Verify BefoPhishing alert infographic: Email inbox with fake "HR via Zoom Docs" message highlighted in red, arrow to malicious redirect chain (CAPTCHA gate to Gmail clone), WebSocket data stream stealing credentials; job seeker icon with warning shield, "Verify Befo

Clicking the Zoom link redirects victims through malicious sites, starting with overflow.qyrix.com.de's fake "bot protection" CAPTCHA to block scanners and build trust. After "verification," users land on a near-identical Gmail phishing page, complete with Google's branding and interactive fields, tricking even cautious folks into entering credentials.

Phishing alert infographic: Email inbox with fake "HR via Zoom Docs" message highlighted in red, arrow to malicious redirect chain (CAPTCHA gate to Gmail clone), WebSocket data stream stealing credentials; job seeker icon with warning shield, "Verify BefoPhishing alert infographic: Email inbox with fake "HR via Zoom Docs" message highlighted in red, arrow to malicious redirect chain (CAPTCHA gate to Gmail clone), WebSocket data stream stealing credentials; job seeker icon with warning shield, "Verify Befo

The real danger:

Stolen usernames and passwords are exfiltrated instantly via WebSocket to overflow.qyrix.com.de/websocket/socket.io/, enabling quick validation, session hijacking with tokens/cookies, and faster transmission than HTTP. Cybersecurity researcher Himanshu Anand uncovered this during his job hunt, highlighting the campaign's sophisticated setup for real-time account takeovers.

Stay safe:

Verify HR emails directly and use password managers with alerts.


NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, FraudProtector.net