FBI and CISA issue videoconferencing hijacking guidance

At a glance

Following a dramatic increase in disrupted remote classes and business meetings during the COVID-19 pandemic, the FBI and CISA issued joint guidance on 2 April 2020 addressing videoconferencing security. The advisory provides detailed recommendations for administrators to configure meeting controls, implement user hygiene practices, and establish incident reporting procedures to protect organizations from harassment, data exposure, and operational disruption during pandemic-driven telework.

Emerging threat environment

The rapid shift to remote operations created unprecedented videoconferencing security challenges:

• "Zoom-bombing" incidents: Unauthorized individuals joining meetings to display offensive content, disrupt proceedings, or harass participants became widespread as meeting links were shared publicly or easily guessed.
• Educational impact: Virtual classrooms faced particular targeting, with K-12 and higher education institutions reporting disruptions that exposed students to inappropriate content.
• Corporate espionage risk: Unsecured business meetings potentially exposed confidential discussions, strategic planning, and proprietary information to competitors or adversaries.
• Regulatory exposure: Healthcare providers conducting telehealth sessions and attorneys conducting privileged communications faced compliance risks from meeting compromises.

Attack Vector Analysis

Threat actors employed multiple methods to compromise videoconferences:

• Public link discovery: Meeting links posted on public websites, social media, or course management systems provided direct access to unpprotected sessions.
• Meeting ID enumeration: Attackers systematically tested meeting ID numbers to find active sessions without passwords.
• Social engineering: Pretexting to obtain meeting credentials from participants or administrators.
• Credential sharing: Authorized participants sharing links or credentials with unauthorized individuals, sometimes inadvertently.
• Platform vulnerabilities: Some disruptions exploited platform-specific security weaknesses rather than configuration gaps.

Recommended Security Controls

The FBI and CISA guidance emphasizes multiple defensive measures:

• Meeting passwords: Require passwords for all meetings and distribute credentials through secure channels rather than in the meeting URL.
• Waiting rooms: Enable waiting room features allowing hosts to screen and admit participants individually.
• Screen sharing restrictions: Limit screen sharing capability to hosts or designated co-hosts to prevent unauthorized content display.
• Participant controls: Disable participant renaming, mute capabilities, and chat features that can be abused for disruption.
• Meeting locks: Lock meetings after expected participants join to prevent late unauthorized entry.
• Authenticated users: Require participants to authenticate with registered accounts rather than joining anonymously.

Administrative Configuration Recommendations

IT administrators should implement organization-wide policy controls:

• Tenant-level defaults: Configure platform administrative settings to enforce passwords, waiting rooms, and restricted sharing by default across all users.
• Feature restrictions: Disable file transfer, annotation, and recording capabilities for users who do not require them.
• Domain restrictions: Limit meeting participation to users from approved email domains where appropriate.
• Recording controls: Restrict cloud recording capabilities and implement access controls for stored recordings.
• Integration security: Review and restrict third-party application integrations with videoconferencing platforms.

User Training and Awareness

End-user behavior significantly impacts meeting security:

• Link handling: Train users not to post meeting links publicly and to use calendar invitations or secure messaging for distribution.
• Host responsibilities: Educate meeting hosts on their security control options and how to respond to disruptions.
• Participant awareness: Help participants recognize and report suspicious attendees or unexpected behavior.
• Recording consent: Establish clear policies and communication about meeting recording and consent requirements.
• Environmental security: Remind users about background visibility, screen sharing risks, and family member access to work meetings.

Incident Response Procedures

If you are affected, establish processes for handling meeting disruptions:

• Immediate actions: Train hosts to remove disruptive participants, lock meetings, end sessions if necessary, and preserve evidence.
• Evidence collection: Capture screenshots, chat logs, participant lists with timestamps, and meeting recordings for investigation.
• Reporting channels: Establish internal reporting procedures and awareness of external reporting to FBI field offices or IC3.
• Post-incident analysis: Review security settings after incidents to identify and address configuration gaps.
• Communication templates: Prepare notifications for participants when meetings are compromised, particularly if sensitive information was exposed.

Regulatory and Compliance Considerations

Meeting compromises can trigger compliance obligations:

• HIPAA: Healthcare providers must assess whether protected health information was exposed during compromised telehealth sessions.
• FERPA: Educational institutions face obligations regarding student information exposed in compromised virtual classrooms.
• Attorney-client privilege: Law firms must evaluate privilege waiver implications of compromised confidential communications.
• Financial regulations: Broker-dealers and advisors face recordkeeping and client protection obligations for virtual client meetings.
• Board meetings: Corporate governance requirements may affect how board meetings are conducted and secured virtually.

Platform-Specific Guidance

Security controls vary across videoconferencing platforms:

• Zoom: Enable waiting rooms, require passwords, restrict screen sharing to hosts, disable join before host.
• Microsoft Teams: Configure meeting policies, enable lobby, restrict anonymous joins, manage external access.
• Webex: Set default meeting templates, enable lobby, configure participant privileges, manage host keys.
• Google Meet: Control who can join meetings, manage host controls, configure organizational settings.

If you are affected, review platform documentation for specific setup guidance.

Monitoring and Detection

Implement capabilities to detect potential meeting compromises:

• Monitor for meetings with high numbers of anonymous or unregistered participants
• Alert on meetings without passwords enabled for external-facing sessions
• Track meeting settings changes that reduce security controls
• Review recordings for evidence of prior compromises
• Correlate meeting activity with network anomalies

Long-Term Security Architecture

If you are affected, incorporate videoconferencing security into broader security programs:

• Include videoconferencing in security awareness training programs
• Add meeting security to incident response playbooks
• Evaluate videoconferencing vendors during procurement using security criteria
• Conduct periodic assessments of meeting security configurations
• Monitor platform vendor security advisories and apply updates promptly

Wrapping up

The FBI and CISA guidance addresses an urgent security gap created by the rapid adoption of videoconferencing during the pandemic. Organizations must implement technical controls, user training, and incident response procedures to protect meetings from disruption and data exposure. The security practices established during this period should become permanent components of enterprise collaboration security as videoconferencing remains central to hybrid work models.

Related articles

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 73/100 · January 6, 2020

CISA Alert Iranian Cyber Response

Tensions with Iran just spiked. After the Soleimani strike, CISA released an alert warning that Iranian cyber actors could retaliate against U.S. infrastructure. Their playbook includes wiper malware, credential theft…

Cybersecurity · Credibility 94/100 · December 13, 2020

SolarWinds Orion supply chain compromise disclosed

This is the big one. On December 13, 2020, FireEye and SolarWinds revealed that Orion software updates had been backdoored for months. Russian intelligence (SVR) compromised the build system, and about 18,000…

Cybersecurity · Credibility 89/100 · March 2, 2021

Microsoft Issues Out-of-Band Patches for Exchange Server ProxyLogon Zero-Days

ProxyLogon was a five-alarm fire. Four zero-days in Exchange Server let attackers drop web shells and steal mailboxes without authentication. Chinese state hackers (HAFNIUM) hit first, then criminal groups piled on. Tens…

Cybersecurity · Credibility 93/100 · May 7, 2021

Colonial Pipeline ransomware attack disrupts U.S. fuel supply

On 7 May 2021 ransomware operators compromised Colonial Pipeline's IT network, prompting a shutdown of fuel deliveries across the U.S. East Coast and federal emergency waivers.

Cybersecurity · Credibility 92/100 · July 2, 2021

Kaseya VSA supply chain ransomware attack

On 2 July 2021 REvil ransomware operators exploited vulnerabilities in Kaseya VSA remote management software, impacting approximately 1,500 downstream organizations through managed service providers.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

April 2, 2020

Coverage pillar

Cybersecurity

Source credibility

73/100 — medium confidence

Topics

Remote work security · Videoconferencing · Incident response

Sources cited

3 sources (ic3.gov, cisa.gov, iso.org)

Reading time

5 min

References

1. FBI Public Service Announcement: Defending against VTC hijacking — FBI IC3
2. Joint guidance on VTC security for COVID-19 telework — CISA
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization