Phishers using Zix to “legitimize” emails in the eyes of Office 365 users

UPDATE: May 19, 2021 – 03:10 AM ET

Mirko Zorz, Editor in Chief, Help Net Security

The page you are on used to contain a news item based on research from Abnormal Security about a phishing campaing purported to originate from Zix. The blog post in question has since been deleted, and Abnormal Security sent us the following comment:

Abnormal Security removed the blog post after receiving legal notice from Zix. The company stands by the accuracy of its research.

Through their PR agency, Zix contacted us to say that the blog post was removed because they believe it contained multiple false and misleading statements, and they asked us to remove our article or issue a retraction.

Since the original blog post was removed, our article about it can’t be checked for accuracy. We want our readers to have full transparency on our reporting, so we removed our coverage of the blog post as well, and are leaving this page with the comment we received from Zix:

Here are some key details, based on our findings to date, as to why the blog was incorrect and mischaracterizes the functionality of Zix products:

  • The report noted that the attack was sent using the secure email system Zix, which lends an air of credibility to the attack because Zix should ostensibly be verifying that the link isn’t malicious. This is incorrect as the attacks were sent from a compromised Office 365 account, not “using” a Zix product. Authentic Title, LLC who owns the compromised O365 account is not a Zix customer.
  • The blog noted “As the header and footer of the message suggest, this link takes the message recipient to an official Zix authentication site ( that checks the link for safety.” From what we observed, the email in the phishing campaign email sent by the compromised O365 account: (a) did not include a link having in the URL; and (b) did not include a header or footer identifying Zix.

Don't miss