Security researchers working at Microsoft detailed a phishing campaign that uses a strange toolset. The campaign has been dubbed ZooToday and seems to use bits and bobs picked and reused from the corrupted code of other hacking groups.
Microsoft's researchers also are referring to the campaign by the endearing name "Franken-Phish" due to the patchwork nature of the phishing kit employed by the bad actors behind the campaign. The ZooToday campaign uses pieces of code originating from various sources, from misleading kits sold on the Dark Web to phishing kits sold online.
The campaign was spotted using the AwsApps(dot)com domain to dish out the phishing mail. The emails contain links that point to a corrupted Web page that is constructed to mimic the look and design of the legitimate Office 365 login page.
The campaign seems to be low-budget relatively and low-effort, as the domains that the phishing emails come from are using random names and have not been tailored to look like the domains and names used by real companies. ZooToday also uses what is called "zero-point font obfuscation" in its phishing emails. This means there is a font in the email that has been given a font size of zero points, effectively making it invisible using HTML.
The campaign has been going on for a while. Microsoft has traced surges of activity back in April and May of this year, with the old campaigns using fake Microsoft pages as bait to collect passwords. A few months later, in August 2021, the campaign went through another uptick in activity and was this time using Xerox branding in its phishing.
Another peculiarity that the ZooToday phishing campaign exhibits is that the collected credentials, captured through the fake Microsoft 365 login pages set up by the hackers, are not forwarded to other emails immediately. Instead, the ZooToday operators store the collected login information on the site itself. The websites used by the group behind ZooToday were hosted using a cloud storage provider.