Exploiting the post-attendee URL feature in Zoom webinar to distribute malware

The post-attendee Uniform Resource Locator (URL) feature within the video conferencing application known as Zoom is often overlooked by digital forensic experts as a potential risk for malware transmission. However, with the ability to redirect webinar participants to any URL set by the host for the webinar, the post-attendee URL can be abused by bad actors to expose webinar participants to malicious websites or, in the worst-case scenario, force participants to download a file through the use of a direct download link URL. This study aims to showcase how this exploit can be replicated by creating an experimental environment involving four Windows 10 desktops running Zoom version 5.7.5 and creating a webinar with four user accounts acting as webinar participants and setting the post-attendee URL value to the URL of a website that contained a keylogger. In another trial, the same experimental environment was utilized, with the only difference being the post-attendee URL that was set to redirect webinar participants to a download link for a .jpg file. In both instances, every user account that joined the webinar via clicking on the invitation link that was emailed to each user account after registering for the webinar was redirected to the post-attendee URL regardless of their user account role. These results not only prove that the post-attendee URL can be exploited, but also provide insight as to how this type of attack can be prevented.