On October 24th 2021, Microsoft revealed an extensive series of credential phishing campaigns that takes advantage of a phishing kit that comprises of different components from other phishing kits whose only goal is to acquire user login information.
The use of the TodayZoo phishing kit was initially seen in December 2020. Then, in March 2021, it was observed that a series of phishing campaigns abused the AwsApps[.]com domain to send the email messages that eventually directed users to the final landing pages.
How it works
TodayZoo used an email lure to begin its attack chain. The email message itself was relatively simple. It impersonated Microsoft and leveraged a zero-point font obfuscation technique in an attempt to evade detection. The social engineering lures in the message body changed over the months. Campaigns in April and May used password reset, while the recent campaigns were leveraging fax and scanner notifications. Regardless of the lure what remained consistent was the attack chain which consisted of an initial and secondary redirectors, a final landing page and a credential harvesting page.
The initial and secondary URLs are either sites created by the attacker or compromised sites and serve as redirectors to funnel the more extensive set of URLs used in the emails to the final landing page where the phishing kit is hosted. The initial URL uses infinite subdomains, a technique that allows attackers to use a unique URL for each recipient while only purchasing or compromising one domain. The URL also leveraged malformed URLs that consisted of multiple forward slashes at the demarcation of the path, as well as the secondary URL that is encoded along with the recipients email address. In almost every instance of the TodayZoo-based campaign weve seen, the final landing page bears a few tangible differences from a standard Microsoft 365 sign-in page.
Since Phishing attacks are dependent on human error there are no definite prevention methods but there are ways to recognize fake or phishing emails. The Guyana National CIRT recommends the users use the
measures at the flowing URL to avoid this type of attack: