IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Office 365 phishing campaign used stolen Kaspersky Amazon SES token to fool victims

Credentials stolen from users after legitimate-looking email arrives in inboxes

IT security firm Kaspersky has warned users that a new phishing campaign is using one of its stolen Amazon Simple Email Service (SES) tokens to make emails appear legitimate.

In an advisory issued on Monday, the firm said it saw a huge increase in spear-phishing emails designed to steal Office 365 credentials. The advisory added that this campaign relies on a phishing kit researchers named “Iamtheboss” used in conjunction with another phishing kit known as “MIRCBOOT.”

“The activity may be associated with multiple cybercriminals. The phishing e-mails are usually arriving in the form of “Fax notifications” and lure users to fake websites collecting credentials for Microsoft online services,” the advisory stated. “These emails have various sender addresses, including but not limited to noreply@sm.kaspersky.com. They are sent from multiple websites including Amazon Web Services infrastructure.”

In investigations, Kaspersky researchers determined some emails were sent using Amazon’s Simple Email Service (SES) and legitimate SES token. Amazon Simple Email Service (SES) is an email service that enables developers to send mail from within any application. 

They said that this access token was issued to a third-party contractor during the testing of the website 2050.earth. The site is also hosted in Amazon infrastructure. 

Related Resource

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Prevent fraud and phishing attacks with DMARC - whitepaper from MimecastFree download

“Upon discovery of these phishing attacks, the SES token was immediately revoked. No server compromise, unauthorized database access, or any other malicious activity was found at 2050.earth and associated services,” said the advisory.

The advisory encouraged users to execute caution and be vigilant even if the email seems to come from a familiar brand or email address.

MIRCBOOT is a phishing kit recently discovered by researchers at Microsoft as part of a large-scale phishing-as-a-service operation known as BulletProofLink. This follows the software-as-a-service model, which requires attackers to pay an operator to wholly develop and deploy large portions or complete phishing campaigns from false sign-in page development, website hosting, and credential parsing and redistribution.

Earlier this month, a Russian cyber crime group was targeting the financial sector with malware delivered by Microsoft Office macros. The attack used phishing emails to mount the first phase of its attack, using an Excel document that uses a macro. 

Last month, hackers spoofed Zix to steal Office 365, Google Workspace, and Microsoft Exchange data. Security researchers from Armorblox said the attack affected around 75,000 users, with small groups of cross-departmental employees targeted in each customer environment.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Is Kaspersky still safe to use?
cyber security

Is Kaspersky still safe to use?

1 Apr 2022
Germany advises against using Kaspersky software due to hacking risk
cyber security

Germany advises against using Kaspersky software due to hacking risk

16 Mar 2022
The IT Pro Products of the Year 2021: The year’s best hardware and software
Hardware

The IT Pro Products of the Year 2021: The year’s best hardware and software

31 Dec 2021
Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022