96% of Companies Using Office 365 Show Signs of Active Hacking Entry

A recent analysis of 4 million Office 365 accounts revealed that 96% of companies using Office 365 show signs of active hacker movement within their company network. Office 365 has a security flaw that attackers easily exploit at will. However, there is good news. TocMail's patented technology fully repairs the defect. See TocMail vs Safe Links video below.

Data breaches often begin with an attacker sending a phishing email containing a cloaked link. Cloaked links send benign content to security scanners. In other words, cloaked links only send their malicious content to intended victims. Therefore, when the email is analyzed by the spam filter, the spam filter only sees benign content. In other words, cloaked links only send harmful content after the emails have been approved and delivered.

Traditional cloud-based time-of-click services do not provide effective protection against this attack. Cloaked links easily identify cloud-based time-of-click services. The malicious links simply use the visitor's IP address to do so. Cloud-based link scanners access links from IP addresses that are different from your company's IP address. Even when cloud-based scanners use secret IP addresses, those addresses are still different from your company's IP address. Therefore, it is easy for malicious sites to use the visiting IP address to know when they are being accessed by a security service, or by an intended victim.

In order for this attack to succeed, victims need to be using a cloud-based email security service (with cloud-based IP addresses). In other words, not only do cloud-based time-of-click services not protect against this attack, but these services are the very reason that the attack exists in the first place. Cybersecurity vendors opened companies to this attack in order to sell their cloud-based email security services. Click to enlarge the infographic below.

The cloud-based scanners used by leading cybersecurity vendors are easily bypassed because they all have the same design flaw:

The scanner's last step is to hand control back to the cloaked link. The cloaked link then sends you anywhere it wants. That's how hackers routinely breach companies every single day. In fact, a recent study of 2,313 files on live phishing sites revealed that over 95% of the live phishing sites were using cloaked links. Cloaked links are literally the most-common, most-effective hacking attack; and every company that relies on traditional time-of-click services remains wide open to this most-common attack.

TocMail's founder invented an incredibly elegant solution to this leading cybersecurity problem. When TocMail's scanner deems the final destination to be safe, TocMail sends you straight to the final destination, not to the original link. Therefore, the cloaked link literally cannot take you somewhere else because you do not even connect to it. TocMail calls this solution "PhishViewer."

Traditional cloud-based scanners attempt to validate whether the original email link is safe or not. But TocMail sends you straight to the final destination, and therefore it does not matter if the original link is safe or not, because you do not even connect to it. The following video demonstrates how TocMail's patented PhishViewer solution overcomes the link validation design flaw found in traditional cloud-based scanners.

TocMail is a full-featured email app with PhishViewer security embedded inside.

'TocMail' stands for 'time-of-click mail.' TocMail is the only time-of-click mail capable of defeating the attack that professional hackers use to bypass other cloud-based time-of-click services.

Almost all data breaches begin in the exact same way, and now your company can finally avoid them. Your company can permanently block the vast majority of hacking in minutes, simply by using TocMail to access emails. Our solution to the leading cybersecurity issue is instant to deploy, simple to use, and uniquely effective.


Patented Protection for Attachments & Links - Phishing & Malware

TocMail 1.0 offered unparalleled protection against phishing and malware links in email messages. TocMail 2.0 extends this protection to links in attachments, and also produces malware-free replicas of PDF, Word and Excel attachments as well — 100% guaranteed. With TocMail 2.0, companies now have comprehensive protection for attachments and links, against phishing and malware. Finally, with TocMail 2.0, data breaches are no longer inevitable.

Although TocMail has many features, comprehensive protection is found in the combination of the following three core services:

  • Connecting Straight to Final Destinations
  • Displaying the Owner of Final Destinations
  • TocDocs - 100% malware-free replicas of attachments

Connecting to final destinations is explained in detail above. In this section, you will learn how to use TocMail's other core services to finally keep attackers from breaching your company's network.

Final Destination Owner ID

Traditional security focuses on the identity of the original email link. TocMail is different. TocMail shows the identity of the owner of the final destination. And if the owner is who you expect, TocMail takes you straight to the final destination so that you arrive at a site that is under the control of the approved owner. This combination works together as follows:

  • Final Destination is Safe: If the final destination is safe then TocMail sends you straight there (so that the hacker's original link cannot send you anywhere else).
  • Final Destination is Indeterminate: If the final destination's safety is indeterminate, TocMail shows you the name of the owner of the final destination. If the owner is who you expect then click "Proceed" to go straight there. Otherwise, you can delete the email and you were kept safe.

For example, PayPal is one of the most common sites that hacker's duplicate. Here's how TocMail's two-step process puts an end to this:

  • If the hacker's link sends TocMail's scanner to then you will be sent directly to — keeping you safe.
  • If the hacker's link sends TocMail to an indeterminate final destination then you will be shown the owner of that destination. Since the owner will not be "Paypal," you will know to delete the email — keeping you safe.

The following video shows how you can be safe, regardless of what the attacker's link decides.

No matter what the attacker's link decides to do, you can be safe every single time. Simply delete any emails where the owner of the final destination isn't who you expect. With TocMail, you never need to fear clicking email links again.


The vast majority of malware and phishing content is distributed through malicious links in email messages. However, some malware and phishing content is still delivered via attachments. With the release of TocMail 2.0, TocMail now protects against this attack vector as well.

When attackers deliver malware and phishing content via attachments, they typically use a PDF, Word, or Excel document to do so. TocMail now offers TocDocs to completely eliminate this attack vector. When you open a PDF, Word, or Excel document from an untrusted sender, TocMail displays an HTML replica of the document (not the document itself). This replica contains zero programming code, and zero macro code contained in the original document. By stripping the document of all its programming code, the resulting TocDoc is guaranteed to be 100% malware free.

The TocDocs also wrap the email links in these documents with TocMail's patented link protection - preventing attackers from using links in attachments to deliver phishing content as well.

The combination of TocMail's features provides full protection from phishing and malware, in attachments and links in email messages. Rampant data breaches are finally not inevitable. Simply read your emails through TocMail, and your company will have protection that cannot be found anywhere else.


PhishViewer Security Simply by Reading Your Emails with Our App

TocMail 2.0 introduced our new infrastructure based on Logical Server Units. Every company is assigned its own Logical Server Unit that is based on the email domain name. Each Logical Server Unit is determined by changing each '.' to '-' and adding to the end. For example, the Logical Server Unit for is The Logical Server Unit for is

When you sign up for TocMail, TocMail creates a separate TocMail instance located at your Logical Server Unit address. You will be notified by email when your server instance is available. Then your company accesses its TocMail service directly from that address. Each Logical Server Unit also serves as a webapp, for instant integration with mobile devices.

TocMail currently costs only $3 per email address per month for business accounts, and $5 per month for individual accounts. TocMail does offer a free 30-day trial for individual accounts via FastMail. Simply create a free 30-day trial account at FastMail. Then login to your FastMail account at the FastMail Logical Server Unit address:

Company's can sign up for a free 30-day trial of their own Logical Server Unit. The 30-day trial can be used by every employee without restriction.


Corporate Address

For immediate assistance, please visit our support center to submit a ticket. For all other inquiries, contact our corporate office below.

TocMail Inc.

3901 NW 79th Ave

Suite 245 #873

Miami, FL 33166



Security and Privacy by Design

TocMail Privacy Policy

TocMail Inc. considers your privacy equally important to your security.

TocMail's core email functionality is built upon the open-source RoundCube platform. This secure email platform has been commercially stable for over a decade, and millions of users currently access their email through RoundCube. To the best of our knowledge, RoundCube doesn't transmit any tracking information to outside third parties.

TocMail's webapp stores the following in our company's internal databases: the IP address of your first login, the IP address of your last login, first login time, last login time, and number of failed logins. We use this information to protect your account against others who may try to access your account.

Caching of your email contents by the TocMail app is done in a secure manner. All caching is done by our proprietary Turbo TocSwitch (which enables our webmail to provide access speeds comparable to native apps). In-memory caching persists for as long as the Turbo TocSwitch is operational; however, in-memory caching is quite secure. On-disk caching is temporarily used for outbound messages. Outbound caches are deleted the moment emails are delivered, resulting in most caching lasting a fraction of a second. Companies that require additional compliance or security measures can take advantage of our Bring Your Own Server program, allowing them to operate TocMail servers on-site in any manner they choose.

Each time a new user signs up, they will be required to complete a Google Captcha. Also, a Google Captcha is required the first time that a new user logs in. This is necessary to protect our users against automated bots. See Google's privacy policy for updated information on how they handle the information collected. Please note that additional captchas are not required after a user has successfully authenticated themselves.

Our company hasn't added any cookies or tracking to our website. However, our website has been constructed using a CSS framework developed by W3Schools. It's possible for this third party to know when you access this site as its resources are downloaded to your browser.

TocChat Privacy Policy

TocMail Inc. only retains your phone number for identity verification purposes when logging into TocChat. We do not sell nor use your phone number for any other reason.

TocChat uses SendBird's messaging infrastructure. SendBird stores the chat exchanges until the respective channels are deleted. In the near future, TocChat will be offering total encryption (both end-to-end and at-rest). With the release of this version, neither SendBird nor TocMail Inc. will have access to any unencrypted forms of your transmissions thereby guaranteeing complete privacy in all respects.