Report: Zoho’s domain regularly exploited to move keylogger data

Keyloggers often use email, rather than C2 servers, to exfiltrate data. Cofense says a huge chunk of that is done using Zoho servers.
Flickr / Julian B

After a messy domain takedown last week in response to phishing complaints, new research suggests that an Indian IT company’s domain is being exploited to exfiltrate the bulk of keylogger data collected by malicious programs.

Zoho, an Indian company that provides office tools and IT management platforms, had its domain taken down temporarily last week as a result of complaints about phishing abuse. Domain registrar TierraNet told ZDNet that it took down the domain after repeatedly asking Zoho to mitigate the phishing issues.

Zoho’s domain has since been brought back online, but anyone using Zoho was out of luck while it was down.

A report released Tuesday by Cofense, a company that provides phishing protection services, suggests that the complaints of abuse were not unfounded. Cofense says that, based on an analysis of keylogger data theft where email is used for to exfiltrate the data, domains owned by Zoho account for moving more than 40 percent of stolen data.


A keylogger is a type of malware that can capture data such as keystrokes, audio, video and clipboard information from an infected machine.

The researchers explain that, once a keylogger has established presence on target’s system, the data has to go somewhere. Rather than using a command and control server, an attacker can use a compromised email account or one that was especially created for the exfiltration. They can also abuse misconfigured email SMTP servers to send the data through. Using these methods can be stealthier than using a web server.

Cofense says it analyzed two popular keyloggers, Agent Tesla and Hawkeye, to see how hackers using these programs are exfiltrating captured data. According to the report, 68 percent of the data with these two keyloggers is sent via email. Within the email category, Zoho domains ( and lead the pack with 41 percent.

Other domains are abused as well, but Zoho leads the pack, according to the report. Cofense reports that Gmail accounts for 5 percent and Outlook accounts for 1 percent.

Cofense says that the security practices that a software company requires of its users can be a factor for whether hackers will want to abuse its products.


“The reason for threat actors overwhelmingly abusing Zoho is unclear, but minimal security process enforcements – optional [two-factor authentication](not enforced), activity monitoring, etc. – combine with user susceptibility to create fertile ground,” the researchers write.

UPDATE, Oct. 5, 2018 at 4:38 p.m. EDT: 

Zoho CEO Sridhar Vembu issued a statement following the Cofense research, saying that the company is “clamping down” on malicious activity on its domain.

With rapid growth and “generous free accounts” has come phishing as an unintended byproduct, Vembu said. In response, the CEO said Zoho will keep a closer eye on free accounts, mandate two-factor authentication via mobile numbers for all accounts and blocking users with “suspicious login patterns.” The company is also working toward a “solid DMARC policy,” meaning it will protect against attempts to spoof domains via email.

“There are other heuristic methods and algorithms we are exploring and testing before we deploy at scale that we will not discuss in any detail, for all the right reasons,” Vembu said.

Latest Podcasts