TodayZoo Phishing kit designed to attack Office365

Posted: Thursday, October 28, 2021

Author: Mark Risidore

Microsoft has released a blog making the public aware of a new threat to Office365. A phishing kit has been built using an array of code copied from multiple other kits. Finally combining this code to target Office365 users and releasing it for general use.

This ‘Phish kit’, named TodayZoo, focuses on the imitation of a safe or trustworthy appearing email, to then harvest the credentials of the recipients. Once an email link has been clicked, they direct users to a spoof landing page that will randomly generate domains to avoid detection.

The email campaigns mostly mimic Microsoft itself, informing users of a new awaiting message or the urgent need to reset their password. These emails are simple yet effective in their goal to prompt users to click the suggested links.


Sample email

Source: Microsoft -Security Blog

What you need to do

As we continue to see a rise in sophisticated attacks on users, Microsoft is continuing to evolve and expand how they protect end-users from such threats.

Microsoft tracks unique phishing kits, phishing services, and other components used in phishing to better protect customers from malicious emails at a larger scale. Having this level of tracking also allows them to better protect customers by knowing what kind of phishing components are currently circulating, directed both at businesses and the public.

Organisations can configure the recommended settings in Microsoft Defender for Office 365, such as applying Anti-Phishing, Safe Links, and Safe Attachments policies. These ensure real-time protection by scanning at the time of delivery and at the time of click.

Utilize’ email filtering service also tracks and blocks suspicious links and, as always, securing Office 365 accounts using Multi-Factor Authentication (MFA) is an absolute necessity for all customers. MFA would help ensure that any compromised credentials don’t result in breached accounts if users accidentally enter their details into the spoofed website.

We have seen an increase in breaches within businesses that have not yet implemented MFA, which brings with it a costly journey to both resolve the breach and then implement measures to ensure it doesn’t happen again.

Recently we worked with a manufacturing company whose credentials were breached. They were locked out of their own accounts and data was encrypted for 3-5 days whilst we were asked to clean up and re-build 75 PCs and restore their data. The cost to them was more than £50k alone in “downtime” and £30k in lost orders.

These breaches also have damaging implications on a business’s reputation and their relationship with clients as attackers can then access said business’s data and start their phishing journey on a new pool of unsuspecting victims.

If you have any questions or concerns about your configuration or any of the products or security services you run, please reach out to our service team at or your Utilize Account Director.


To find out more about TodayZoo and how Microsoft detected this and the security measures you should implement, click here:

Double down on security by attending our Cyber Security Free Webinar, which explains the threat that cyber-attacks could place on your business. Topics covered include Cyber Essentials, the Dark Web and Phishing attacks. Find out more here:

Our web site uses cookies, including Google Analytics cookies, to better understand how you use our site. Read our Cookie Policy for more information including Google Options. By using our web site you accept our use of cookies as detailed in our Cookie Policy.