Microsoft last week finally got around to telling Microsoft 365 users about a phishing campaign targeting them since December 2020. The campaign sells kits comprised of components of other kits readily available on the Internet, hence the term “Franken-phish.”
“Our prior research on phishing kits told us TodayZoo contained large pieces of code copied from widely circulated ones, said the announcement from the Microsoft threat intelligence team. “The copied code segments even have the comment markers, dead links, and other holdovers from the previous kits.”
There was no reason given for delaying the announcement for almost a year.
Phishing attacks have evolved to a profitable, reliable and efficient service-based economy. Attackers rent what they need from phishing-as-a-service (PhaaS) providers. The providers do the heavy lifting of designing the tools and identifying victims. They can also buy a one-time, plug-and-play license without having to know how to code or maintain their tools.
“We believe that the actors behind it came across an old phishing kit template and replaced the credential harvesting part with its own exfiltration logic to make TodayZoo solely for their nefarious purposes,” the announcement explained.
The team admitted that they found the TodayZoo phishing kit last December. There are still large email campaigns ongoing. The team claimed Microsoft Defender for Office 365 users were effectively protected. That service is widely considered mediocre protection and requires supplemental anti-virus solutions. Since Defender is a free product included in Windows 10, one might say you get what you pay for.
The emails are fairly sophisticated in their design. Clicking on the link sends you two an equally authentic “sign-in” page. However, potential victims can spot fakes by referring to the sender domain name. It never comes from Microsoft. The secondary URLs if a user does click on the email link is also never from Microsoft.
The landing page is often hosted by New York-based DigitalOcean. The company cannot monitor what is being done on its platform.