Zoom Hardening Guide
š Key Takeaway: Zoom's remote control and accessibility features are active attack vectors. Disable remote control, use browser-based Zoom when possible, deploy PPPC profiles on macOS, and train users to reject unexpected permission requests.
Why Zoom is a target
Zoom's remote control feature allows a participant to request full control of another user's computer once screen sharing is active. Threat actors social-engineer victims into sharing their entire screen, then request remote control to install malware and exfiltrate credentials, private keys, and session tokens.
The most prominent example is ELUSIVE COMET ā a threat actor impersonating investors, journalists, and podcast hosts to lure crypto holders onto Zoom calls, pressure them into full-screen sharing (claiming audio/video issues), then take over their machine via remote control.
If already compromised, see the ELUSIVE COMET incident response playbook.
Immediate hardening steps
Apply these settings in the Zoom web portal. Sign in, click Settings in the left sidebar, then navigate to the Meeting tab.
Required
These mitigations address the specific attack vectors described in the Trail of Bits ELUSIVE COMET research and should be treated as non-negotiable for any organization handling sensitive assets.
- Disable remote control: Settings > Meeting > In Meeting (Basic) > Remote control > OFF
- Disable participant screen sharing (host only): Settings > Meeting > In Meeting (Basic) > Screen sharing > Who can share? > Host Only
- Never grant Zoom accessibility permissions (macOS): If Zoom prompts for accessibility access, deny it. These permissions let remote control interact with your entire system.
- Prefer browser-based Zoom: Join via
zoom.us/joininstead of the desktop client. No remote control capability, no accessibility permissions. - Use SSO/OAuth authentication: Use SSO or OAuth instead of Zoom-native accounts for centralized credential management and MFA.
- Deploy PPPC profiles / revoke TCC permissions (macOS): See macOS mitigations below.
- Remove Zoom desktop client when possible: Uninstall entirely to eliminate the attack surface.
Optional
General Zoom security best practices. These do not directly mitigate the ELUSIVE COMET attack but improve overall meeting security hygiene.
- Enable waiting rooms: Settings > Meeting > Security > Waiting Room > ON
- Require meeting passcodes: Settings > Meeting > Security > Require a passcode when scheduling new meetings > ON
- Disable automatic recording: Settings > Meeting > Recording > Automatic recording > OFF (enable only when explicitly needed)
macOS-specific mitigations
macOS TCC governs per-app accessibility permissions. Trail of Bits published scripts to lock this down:
Revoke existing Zoom accessibility permissions
If Zoom already has accessibility access, revoke it immediately:
# Revoke Zoom's accessibility permissions via tccutil
tccutil reset Accessibility us.zoom.xosVerify removal in System Settings > Privacy & Security > Accessibility ā Zoom should no longer appear or should be toggled off.
Deploy PPPC profiles to block accessibility requests
PPPC profiles block Zoom from receiving accessibility permissions even if a user clicks
"Allow." Deploy fleet-wide via MDM/Jamf or manually via profiles/Apple Configurator.
Complete Zoom uninstallation
All macOS mitigation scripts (PPPC profiles, tccutil, uninstall) are available at: Trail of Bits ā Zoom mitigations
Organizational policies
For teams, DAOs, and organizations handling sensitive assets:
Prefer alternative meeting platforms for sensitive discussions
Use Google Meet, Jitsi, or other browser-native platforms for calls involving treasury operations, key ceremonies, or sensitive governance decisions. These platforms do not have a remote control feature.
Enforce browser-based Zoom when Zoom is required
If a counterparty insists on Zoom, join through the browser (zoom.us/join). The web client
lacks the remote control feature entirely and cannot request accessibility permissions.
Regularly purge the Zoom desktop client
Remove the desktop client where not required. On managed fleets, use MDM to block installation.
Social engineering awareness training
Train all team members on the remote control attack pattern:
- Attacker schedules a Zoom call (often posing as an investor, journalist, or partner).
- Attacker pressures victim to share their entire screen (not just a window).
- Attacker (or a bot named "Zoom") requests remote control access.
- Victim approves the request, and the attacker installs malware.
If a meeting participant asks you to share your screen and then requests remote control, END THE CALL IMMEDIATELY. This is the single most effective defense.
Meeting hygiene policies
- Only the host should share their screen by default.
- Never share your entire screen ā share a specific window if you must.
- Do not join meetings from unknown or unsolicited links without verifying the organizer's identity through a separate channel.
Detection signals
Red flags during a Zoom call that suggest an attack in progress:
| Signal | Why it matters |
|---|---|
| Asked to share your entire screen (not a specific window) | Remote control only works when the full screen is shared |
| A participant named "Zoom" appears in the call | ELUSIVE COMET uses a bot with this display name to send the remote control request |
| A remote control request dialog appears | Legitimate meetings almost never require remote control |
| Urgency pressure: "I can't see/hear you, you need to share your whole screen" | Social engineering tactic to get full-screen access |
| Request from unknown "investors" or "journalists" for a Zoom call | Common ELUSIVE COMET pretext ā verify identity through independent channels before joining |
| Zoom suddenly requests accessibility permissions on macOS | Indicates an attempt to enable remote control capabilities |
Response: Do not approve any request. Leave the call immediately. If compromised, follow the ELUSIVE COMET playbook.
Further reading
- Trail of Bits ā Zoom mitigations (PPPC profiles, tccutil scripts, uninstall scripts)
- ELUSIVE COMET incident response playbook ā what to do if you've already been compromised
- SEAL Advisories ā ongoing threat intelligence for the crypto ecosystem
- Zoom Security Settings documentation