analyzed a phishing campaign aimed at stealing passwords. A phishing kit is used for this, which the WorkMail domain AwsApps[.]com used to send emails with links to phishing pages that impersonate Microsoft 365’s login page.
A “phishing kit” consists of various programs or services designed to facilitate phishing attacks. In this case, Microsoft named the kit ZooToday after a text he used. Microsoft also referred to it as “Franken-Phish” as it is made up of various elements, some of which have been put up for sale through publicly available scam sellers or have been reused and repackaged by other kit sellers.
The attackers created malicious AWS WorkMail accounts on a large scale, but they only used randomly generated domain names instead of names. Microsoft inferred that this is a “crude” phishing product that was likely made on a budget but big enough to get noticed.
The backers are not only targeting Microsoft 365 accounts. Campaigns in August used Xerox branded fax and scanner notifications to trick employees into revealing their login information.