Kaspersky's Amazon SES Token Is Used in An Office 365 Phishing Campaign

Kaspersky’s Amazon SES Token Is Used in An Office 365 Phishing Campaign

Spearphishing emails sent from a Kaspersky email account were disguised to seem like they originated from a Kaspersky email address.

Although phishing emails came from sender addresses such as noreply@sm.kaspersky.com, no one from Kaspersky sent them, the security firm stated in a statement on Monday. Rather, Kaspersky’s genuine, albeit stolen, Amazon Simple Email Service (SES) token was used to send the emails.

Amazon SES is a flexible email service that allows developers to send email from any app used for marketing and bulk email communications.

As per Kaspersky’s advisory, “this access token was granted to a third-party contractor during the testing of the website 2050.earth.”

The SES token was promptly revoked after Kaspersky discovered a significant rise in recent Office 365 credential spearphishing operations – attacks that might be emanating from several threat actors. Phishing attempts frequently target Office 365 credentials.

The advisory indicated that the theft caused no damage. There wasn’t any unauthorized database access, server compromise, or any other malicious activity at 2050.earth and related services.

Phishers use these emails to send individuals to carefully constructed phishing sites so they may submit credentials, believing they’re doing so for a genuine cause. They sometimes trick people by imitating a trustworthy organization (like Kaspersky), application, or institution.

The cybercriminals who devised the Kaspersky-themed plan did not try to pass themselves off as Kaspersky personnel. Instead, phishing emails are usually disguised as “fax notices,” leading victims to phony websites that capture Microsoft’s online services credentials. It’s not the first time the old “fax alert” jingle has been received: In December 2020, a campaign that employed the same email con also targeted Office 365 credentials.

The phishing emails from Kaspersky were sent from various ostensibly Kaspersky addresses, and they came from a variety of domains, including Amazon Web Services architecture.

The phishing efforts use a phishing kit called “Iamtheboss” by Kaspersky researchers, which is used in combination with another phishing kit called “MIRCBOOT.”

MIRCBOOT is one of the phishing kits discovered by Microsoft lately as part of a large-scale, well-organized, sophisticated phishing-as-a-service (PhaaS) operation dubbed BulletProofLink by the cybercriminals.


MIRCBOOT and the other phishing kits provided on BulletProofLink allow would-be cybercriminals to build up websites and acquire domain names to begin phishing campaigns, posing as, for example, employees of a security agency.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.