Of all Keyloggers analysed by Cofense Intelligence, 40% used a zoho.eu email address to exfiltrate data from infected machines. Zoho-owned domains are enabling roughly 40% of all keylogger data theft where email is the primary exfiltration vehicle. The reason for Zohos domain suspension is unclear, but minimal security actors are overwhelmingly abusing the process of distributing unwanted mail via phishing campaigns. The company had its domain taken down briefly by its registrar, TierraNet, following reports of phishing originating from one of Zoho’s services.”]
Source: https://cofense.com/staggering-amount-stolen-data-heading-zoho-domains/