IT security firm Kaspersky has warned users that a new phishing campaign is using one of its stolen Amazon Simple Email Service (SES) tokens to make emails appear legitimate.
In an advisory issued on Monday, the firm said it saw a huge increase in spear-phishing emails designed to steal Office 365 credentials. The advisory added that this campaign relies on a phishing kit researchers named “Iamtheboss” used in conjunction with another phishing kit known as “MIRCBOOT.”
“The activity may be associated with multiple cybercriminals. The phishing e-mails are usually arriving in the form of “Fax notifications” and lure users to fake websites collecting credentials for Microsoft online services,” the advisory stated. “These emails have various sender addresses, including but not limited to noreply@sm.kaspersky.com. They are sent from multiple websites including Amazon Web Services infrastructure.”
In investigations, Kaspersky researchers determined some emails were sent using Amazon’s Simple Email Service (SES) and legitimate SES token. Amazon Simple Email Service (SES) is an email service that enables developers to send mail from within any application.
They said that this access token was issued to a third-party contractor during the testing of the website 2050.earth. The site is also hosted in Amazon infrastructure.
RELATED RESOURCE
Prevent fraud and phishing attacks with DMARC
How to use domain-based message authentication, reporting, and conformance for email security
“Upon discovery of these phishing attacks, the SES token was immediately revoked. No server compromise, unauthorized database access, or any other malicious activity was found at 2050.earth and associated services,” said the advisory.
The advisory encouraged users to execute caution and be vigilant even if the email seems to come from a familiar brand or email address.
MIRCBOOT is a phishing kit recently discovered by researchers at Microsoft as part of a large-scale phishing-as-a-service operation known as BulletProofLink. This follows the software-as-a-service model, which requires attackers to pay an operator to wholly develop and deploy large portions or complete phishing campaigns from false sign-in page development, website hosting, and credential parsing and redistribution.
Earlier this month, a Russian cyber crime group was targeting the financial sector with malware delivered by Microsoft Office macros. The attack used phishing emails to mount the first phase of its attack, using an Excel document that uses a macro.
Last month, hackers spoofed Zix to steal Office 365, Google Workspace, and Microsoft Exchange data. Security researchers from Armorblox said the attack affected around 75,000 users, with small groups of cross-departmental employees targeted in each customer environment.
-
What does modern security success look like for financial services?Sponsored As financial institutions grapple with evolving cyber threats, intensifying regulations, and the limitations of ageing IT infrastructure, the need for a resilient and forward-thinking security strategy has never been greater
-
Yes, legal AI. But what can you actually do with it? Let’s take a look…Sponsored Legal AI is a knowledge multiplier that can accelerate research, sharpen insights, and organize information, provided legal teams have confidence in its transparent and auditable application
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
-
Almost half of US organizations still using Kaspersky, researchers claimNews A ban was introduced due to Kaspersky’s supposed links to the Russian government
-
Enterprises are struggling to fill senior cybersecurity roles — and it's causing staff burnout to skyrocketNews Many senior roles take months to fill, creating cumbersome workloads for mid-level staff and increased burnout
-
Kaspersky to shut down US division ahead of sales ban
News The Russian security company will exit the US and cut staff ahead of a government-imposed sales ban
-
Botnets are being sold on the dark web for as little as $99News More than 20 offers for botnets for hire or sale have been discovered on dark web forums and Telegram channels this year
-
Small businesses face continued security threats as trojan attacks surgeNews Cyber attacks on small businesses are still growing at a steady pace
-
Most passwords take a matter of minutes to crack – here’s how you can create strong, hacker-resistant credentialsNews Passwords are still criminally insecure and can be cracked or guessed by hackers with ease, but what precautions can you take to avoid getting breached?
-
Kaspersky hits back at US software ban, citing political motivations and “theoretical concerns”News Kaspersky said it has “repeatedly demonstrated" its independence from any government interference
