Nov 2, 2021
0 0

Kaspersky's stolen Amazon SES token used in Office 365 phishing

Written by

Microsoft: Windows KB5006674, KB5006670 updates break printing
Microsoft: Windows web content filtering now generally available
Hive ransomware now encrypts Linux and FreeBSD systems
Police arrest hackers behind over 1,800 ransomware attacks
Microsoft 365 outage blocks access to OneDrive, SharePoint files
Microsoft announces new endpoint security solution for SMBs
Microsoft Edge for Linux out of beta, now generally available
macOS Monterey update causes some Macs to become unbootable
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Kaspersky's stolen Amazon SES token used in Office 365 phishing
Kaspersky said today that a legitimate Amazon Simple Email Service (SES) token issued to a third-party contractor was recently used by threat actors behind a spear-phishing campaign targeting Office 365 users.
Amazon SES is a scalable email service designed to allow developers to send emails from any app for various use cases, including marketing and mass email communications.
Kaspersky security experts linked the phishing attempts to multiple cybercriminals who used two phishing kits in this campaign, one known as Iamtheboss and another named MIRCBOOT.
“This access token was issued to a third party contractor during the testing of the website,” Kaspersky explained in an advisory issued today, the first of its kind issued by the Russian cybersecurity firm in the last six years.
“The site is also hosted in Amazon infrastructure. Upon discovery of these phishing attacks, the SES token was immediately revoked.
“No server compromise, unauthorized database access or any other malicious activity was found at and associated services.”
The threat actors did not attempt to impersonate Kaspersky and decided to camouflage their phishing messages as missed fax notifications, redirecting potential victims to phishing landing pages designed to harvest their Microsoft credentials.
However, they used an official Kaspersky email and sent the emails from Amazon Web Services infrastructure, which likely helped them reach their targets mailboxes by easily evading most Secure Email Gateway (SEGs) protections.
“The phishing e-mails are usually arriving in the form of ‘Fax notifications’ and lure users to fake websites collecting credentials for Microsoft online services,” Kaspersky added.
“These emails have various sender addresses, including but not limited to”
Kaspersky encourages users and those targeted in these spear-phishing attacks to be cautious and remain vigilant even when asked for their credentials or other sensitive information, even if the messages asking for such info seem to come from familiar brands or email addresses
You can find detailed information on checking the sender’s identity using the email headers on Kaspersky’s blog.
In related news, Microsoft also warned in August of a highly evasive spear-phishing campaign targeting Office 365 customers in multiple waves since July 2020.
The company also said in March that attackers behind a large-scale phishing operation stole roughly 400,000 OWA and Office 365 credentials since December 2020.
Microsoft Defender ATP subscribers were also alerted in late January of an increasing number of consent phishing (aka OAuth phishing) attacks targeting remote workers.
Microsoft 365 will get support for custom ARC configurations
Microsoft: Iran-linked hackers target US defense tech companies
Office 365 to let admins block Active Content on Trusted Docs
Snake malware biting hard on 50 apps for only $25
Microsoft 365 will get enhanced insider risk management tools
Not a member yet? Register Now
Microsoft Defender for Windows is getting a massive overhaul
Microsoft warns of rise in password sprays targeting cloud accounts
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


Article Categories:
Cybersecurity News

Comments are closed.