Office 365 Phishing Campaign Abuses Stolen Amazon SES Token

Stolen access token leveraged in phishing campaign that spoofs brand name email addresses.

A surge in spearphishing emails designed to steal Office 365 credentials include some that were rigged to look like they came from major brands, including Kaspersky.

According to a Kaspersky security bulletin posted Monday, two phishing kits identified as “Iamtheboss” and “MIRCBOOT’ are being used together by multiple threat actors to send fake fax notifications.

“The phishing e-mails are usually arriving in the form of ‘fax notifications’ and lure users to fake websites collecting credentials for Microsoft online services,” according to the bulletin.

One phishing campaign tracked by researchers appear to abuse an Amazon service called Amazon Simple Email Service (SES), designed to let developers send email messages from apps. The campaign, identified by Kaspersky, relied on a now-revoked stolen SES token used by a third-party contractor during the testing of the website 2050.earth.

Infosec Insiders Newsletter

The 2050.earth site is a Kaspersky project that features an interactive map illustrating what futurologists predict to be the future impact of technology on the planet. The stolen SES token is tied to Kaspersky and SES because the 2050.earth site is hosted on the Amazon infrastructure.

“These emails have various sender addresses, including but not limited to noreply@sm.kaspersky.com. They are sent from multiple websites including Amazon Web Services infrastructure,” the security bulletin warned. The company said the stolen SES token was only abused in a limited capacity relative to an otherwise large-scale campaign abusing multiple brands.

It’s unclear what other brands are impacted by the ongoing campaigns and if other non-Kaspersky SES tokens are involved.

The company said the SES token was immediately revoked when it was identified as being stolen and abused.

The theft caused no damage, according to the advisory. “No server compromise, unauthorized database access or any other malicious activity was found at 2050.earth and associated services,” it said.

Amazon SES Token Abuse

Phishing is a common way for cybercriminals to dupe people through socially engineered emails into giving up their credentials to online accounts that can store sensitive data. Phishers use these emails – which sometimes fool people by impersonating a trusted company, application or institution – to direct people to specially crafted phishing sites so they can enter credentials, thinking they’re doing so for a legitimate reason.

Office 365 credentials are a common target for phishing attacks. In March, for example, a phishing scam targeted executives in the insurance and financial services industries with the aim of harvesting their Microsoft 365 credentials and launching business email compromise (BEC) attacks.

Cybercrooks abusing the Amazon SES token are attempting to give their “fax notifications” an appearance of legitimacy by allowing them to identify the sender as “sm.kaspersky.com”.

The Lure: Phony Faxes

The phishing emails typically purport to be “fax notifications” that lure targets to fake websites that harvest credentials for Microsoft’s online services. It’s hardly the first time the old “fax alert” song and dance has been used. In December 2020, Office 365 credentials were likewise under attack by a campaign that used the same email con.

One sample phishing email can be seen below.

Sample of phishing email. Source: Kaspersky.

Analysis showed that the phishing campaigns are relying on a phishing kit that Kaspersky researchers have named “Iamtheboss,” used in conjunction with another phishing kit known as “MIRCBOOT.”

MIRCBOOT Served Up By Turnkey Phishing Platform BulletProofLink

If the name MIRCBOOT sounds familiar, it might be because it was one of the phishing kits that Microsoft recently found when it uncovered a large-scale, well-organized, sophisticated phishing-as-a-service (PhaaS) operation that the criminals called BulletProofLink.

BulletProofLink, a turnkey platform, provides phishing kits, email templates, hosting and other tools that let users customize campaigns and develop their own phishing ploys. They then use the PhaaS platform to help with phishing kits, email templates and the hosting services needed to launch attacks.

MIRCBOOT and the other phishing kits available on BulletProofLink allow cybercriminal wannabes to set up the websites and purchase the domain names they need to launch phishing campaigns, pretending to be, say, employees of a security firm, as in this case.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles