Office 365 Phishing Campaign Abuses Stolen Amazon SES Token
A surge in spearphishing emails designed to steal Office 365 credentials include some that were rigged to look like they came from major brands, including Kaspersky.
According to a Kaspersky security bulletin, two phishing kits identified as “Iamtheboss” and “MIRCBOOT’ are being used together by multiple threat actors to send fake fax notifications.
“The phishing e-mails are usually arriving in the form of ‘fax notifications’ and lure users to fake websites collecting credentials for Microsoft online services,” according to the bulletin.
One phishing campaign tracked by researchers appear to abuse an Amazon service called Amazon Simple Email Service (SES), designed to let developers send email messages from apps. The campaign, identified by Kaspersky, relied on a now-revoked stolen SES token used by a third-party contractor during the testing of the website 2050.earth.
The 2050.earth site is a Kaspersky project that features an interactive map illustrating what futurologists predict to be the future impact of technology on the planet. The stolen SES token is tied to Kaspersky and SES because the 2050.earth site is hosted on the Amazon infrastructure.
“These emails have various sender addresses, including but not limited to noreply@sm.kaspersky.com. They are sent from multiple websites including Amazon Web Services infrastructure,” the security bulletin warned. The company said the stolen SES token was only abused in a limited capacity relative to an otherwise large-scale campaign abusing multiple brands.
The theft caused no damage, according to the advisory. “No server compromise, unauthorized database access or any other malicious activity was found at 2050.earth and associated services,” it said.
Cybercrooks abusing the Amazon SES token are attempting to give their “fax notifications” an appearance of legitimacy by allowing them to identify the sender as “sm.kaspersky.com”.
Security Awareness Training is the means by which organizations teach users how to stay in that ever-vigilant mode when interacting with email and the web. By doing so, instead of taking everything at face value and believe it by default, users interact with unfamiliar content like this in a far-more scrutinizing manner and are less likely to become victims.
With thanks to the Cyber Defence Alliance and Threatpost. The full story is here: https://threatpost.com/office-365-phishing-campaign-kasperskys-amazon-ses-token/175915/
Free Phish Alert Button
Do your users know what to do when they receive a phishing email? KnowBe4’s Phish Alert Button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user’s inbox to prevent future exposure. All with just one click! Phish Alert benefits:
Here’s how it works:
- Reinforces your organization’s security culture
- Users can report suspicious emails with just one click
- Incident Response gets early phishing alerts from users, creating a network of “sensors”
- Email is deleted from the user’s inbox to prevent future exposure
- Easy deployment via MSI file for Outlook, G Suite deployment for Gmail (Chrome)
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/free-phish-alert-partner?partnerid=001a000001lWEoJAAW