The digital landscape for government agencies has become significantly more dangerous following the discovery of a fileless phishing campaign. Attackers are currently utilizing the Operation GhostMail Zimbra exploit to bypass traditional email filters that only look for malicious attachments. Because this attack lives entirely within the HTML body of a single email, it remains invisible to standard antivirus scans. Consequently, a user can compromise their entire organization just by viewing a message.
This campaign specifically targets critical national infrastructure, including maritime and shipping support agencies. By leveraging a deceptive internship inquiry, the threat actors ensure their messages look like routine administrative tasks. Furthermore, the Operation GhostMail Zimbra exploit uses sophisticated obfuscation to hide its true intent from automated inspection tools. As a result, the breach occurs silently within the browser session of the victim.
Technical Analysis of the Attack Chain
The heart of this breach is a stored XSS vulnerability known as CVE-2025-66376. This flaw exists due to inadequate sanitization of CSS directives within the webmail interface. Once the email is opened, a JavaScript payload executes to harvest login credentials, session tokens, and backup recovery codes. In addition, the script initiates a full export of the victim’s mailbox history. However, the most damaging part is the creation of app-specific passwords for long-term surveillance.
Strategic Defense and Resilience
To secure your environment, you must prioritize rapid patch management and update to ZCS version 10.0.18 or higher. Furthermore, monitoring for anomalous SOAP activity can help identify a browser-resident stealer before data exfiltration is complete. By staying alert to these fileless methods, you can protect your agency against state-sponsored aggression. You can read the full technical breakdown and security findings in the original report here.
No Comment! Be the first one.