Threat Research
Zivver Phishing: How Real Secure Messages Deliver Fake Logins
A masterclass in modern M365 Business Email Compromise using a secure-messaging platform. How attackers weaponised Zivver to achieve full mailbox takeover in under five minutes.
By ZeroBEC Team · November 25, 2025 · 8 min read
For one of our customers, ZeroBEC's AI-native detection engine flagged one of the most deceptive Business Email Compromise (BEC) attacks we've seen in 2025. The victim was exceptionally vigilant, yet the attacker achieved full mailbox takeover in minutes by weaponising Zivver and employing a classic double-compromise trick. The entire compromise-to-exfiltration phase lasted under five minutes, despite a real-time SOC alert.
The Kill-Chain
Why This Attack Was So Effective
- The Phishing Link Was Hidden Inside a Real Zivver Message: The attacker used the legitimate functionalities of the Zivver platform - notification, encryption, and one-time code. The malicious link was embedded in the encrypted message, making it invisible to email gateways and URL scanners.
- axios/1.13.2 - The Smoking Gun of Modern Phish-Kits: The very first post-compromise activity was axios/1.13.2 making token-validation requests. This lightweight Node.js HTTP client is the de-facto standard in nearly all commercial M365 phishing kits (EvilProxy, Evilginx derivatives, Manjusaka-based kits, etc.). Seeing axios/1.13.2 right after a Zivver interaction is now a high-confidence indicator of active token theft.
- Double-Compromise + Double-Conviction: The attacker anticipated the victim verifying the mail authenticity and instantly responded from the already-compromised corporate mailbox, establishing trust and progressing the attack chain.
- Renamed Bulletproof Infrastructure: Data access and exfiltration originated from two /24 ranges belonging to AS206092, an ASN that underwent multiple name changes and restructurings in 2024-2025 specifically to evade reputation-based blocking.
- The SOC Alert Arrived, But Too Late: The customer's SOC did alert on the suspicious axios logons and inbox-rule creation. However, by the time any action could be taken, the attacker had already completed discovery and exfiltrated data - the entire window was under two minutes.
The Forensic Challenge - Why This Attack Is a Nightmare to Investigate
Because the malicious link existed exclusively inside the decrypted payload of a legitimate Zivver message (a technique now routinely seen with DocuSign, Dropbox, DocSend, and others), standard email forensics finds nothing malicious.
Even when investigators try to "re-open" the original Zivver message later:
- The attacker can (and often does) delete or replace the encrypted content after the victim opens it.
- Some secure-messaging platforms treat messages as one-time view or auto-expire the payload.
- Without immediate preservation, the evidence literally disappears.
Many organisations only retain full Microsoft 365 audit logs for a limited time on standard licences. In this incident, the attacker completed full reconnaissance and exfiltration in under two minutes. Without continuous indexing of audit events, critical records such as MailItemsAccessed, New-InboxRule, and the axios token-validation events would have aged out, leaving no forensic trail.
This is exactly where ZeroBEC makes the difference. Our platform continuously indexes every M365 audit event and retains a full six months of searchable history. When an incident is detected, ZeroBEC automatically builds a complete incident timeline that allows security analysts to trace exactly what happened: which emails the attacker accessed, what inbox rules were created, whether the attacker sent emails on behalf of the victim, and whether other mailboxes in the organisation received the same phishing email. This is critical because many BEC campaigns stay stealthy and operate fraudulently for weeks or even months before discovery.
Without this level of visibility, the attacker walks away with perfect material for an even more targeted follow-up Business Email Compromise campaign or another supply-chain attack.
Bottom line:
When the phishing payload is hidden inside a real, trusted platform, time is evidence and log retention is everything. With ZeroBEC, organisations no longer have to race against expiring logs or rely on manual forensic reconstruction. The full attack story is already there, ready for your team to act on.
Recommendations (Prioritised)
- Create an immediate-response rule for
UserAgent: axios/1.13.2(or any axios version) in M365 audit logs - trigger automated session revocation. - Alert on New-InboxRule and multiple IPs in < 5 min on OWA/Graph traffic.
- Treat any link inside Zivver, DocuSign, DocSend, etc., as untrusted - train users to log in directly via a verified bookmark.
- Block or heavily restrict Zivver and similar platforms at proxy/Conditional Access unless explicitly whitelisted.
- Maintain and update a blocklist of recently renamed or restructured ASNs used for proxy resale.
- Enforce phishing-resistant MFA (FIDO2/passkeys) and disable legacy authentication.
- Deploy ZeroBEC in under 60 seconds - no MX record changes, works alongside your existing email security gateway. ZeroBEC will immediately scan your environment for existing undetected BEC incidents and continuously protect you against future attacks.
Wake-up Call
When attackers embed payloads inside real trusted platforms, use axios-based phish-kits, and operate from renamed bulletproof infrastructure, even vigilant users and real-time SOC alerts are no longer enough.
At ZeroBEC, our AI-native platform helps organisations move from detection to prevention at speed.
Ready for a no-obligation review of your M365 and secure-messaging defences? Contact us today.