Microsoft has detailed an unusual phishing campaign aimed at stealing passwords that uses a phishing kit built using pieces of code copied from other hackers’ work.
A “phishing kit” is the various software or services designed to facilitate phishing attacks. In this case, the kit has been called ZooToday by Microsoft after some text used by the kit. Microsoft also described it as a ‘Franken-Phish’ because it is made up of different elements, some available for sale through publicly accessible scam sellers or reused and repackaged by other kit resellers.
Microsoft said TodayZoo is using the WorkMail domain AwsApps[.]com to pump out email with links to phishing pages mimicking the Microsoft 365 login page.
Microsoft says the attackers have been creating malicious AWS WorkMail accounts “at scale” but are just using randomly generated domain names instead of names that would represent a legitimate company. In other words, it’s a crude phishing product likely made on a thin budget, but large enough to be noticeable.
It caught Microsoft’s attention because it impersonated Microsoft’s brand and used a technique called “zero-point font obfuscation” –