The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

A surge in spearphishing emails designed to steal Office 365 credentials include some that were rigged to look like they came from major brands, including Kaspersky.

According to a Kaspersky security bulletin posted Monday, two phishing kits identified as “Iamtheboss” and “MIRCBOOT’ are being used together by multiple threat actors to send fake fax notifications.

“The phishing e-mails are usually arriving in the form of ‘fax notifications’ and lure users to fake websites collecting credentials for Microsoft online services,” according to the bulletin.

One phishing campaign tracked by researchers appears to abuse an Amazon service called Amazon Simple Email Service (SES), designed to let developers send email messages from apps. The campaign, identified by Kaspersky, relied on a now-revoked stolen SES token used by a third-party contractor during the testing of the website

The site is a Kaspersky project that features an interactive map illustrating what futurologists predict to be the future impact of technology on the planet. The stolen SES token is tied to Kaspersky and SES because the site is hosted on the Amazon infrastructure.

“These emails have various sender addresses, including but not limited to [email protected]. They are sent from multiple websites including Amazon Web Services infrastructure,” the security bulletin warned. The company said the stolen SES token was only abused in a limited capacity relative to an otherwise large-scale campaign abusing multiple brands.

It’s unclear what other brands are impacted by the ongoing campaigns and if other non-Kaspersky SES tokens are involved.

The company said the SES token was immediately revoked when it was identified as being stolen and abused.

The theft caused no damage, according to the advisory. “No server compromise, unauthorized database access or any other malicious activity was found at and associated services,” it said.

Amazon SES Token Abuse

Phishing is a common way for cybercriminals to dupe people through socially engineered emails into giving up their credentials to online accounts that can store sensitive data. Phishers use these emails – which sometimes fool people by impersonating a trusted company, application or institution – to direct people to specially crafted phishing sites so they can enter credentials, thinking they’re doing so for a legitimate reason.

Office 365 credentials are a common target for phishing attacks. In March, for example, a phishing scam targeted executives in the insurance and financial services industries with the aim of harvesting their Microsoft 365 credentials and launching business email compromise (BEC) attacks.

Cybercrooks abusing the Amazon SES token are attempting to give their “fax notifications” an appearance of legitimacy by allowing them to identify the sender as “”.

The Lure: Phony Faxes

The phishing emails typically purport to be “fax notifications” that lure targets to fake websites that harvest credentials for Microsoft’s online services. It’s hardly the first time the old “fax alert” song and dance has been used. In December 2020, Office 365 credentials were likewise under attack by a campaign that used the same email con.

One sample phishing email can be seen below.

Sample of phishing email. Source: Kaspersky.

Analysis showed that the phishing campaigns are relying on a phishing kit that Kaspersky researchers have named “Iamtheboss,” used in conjunction with another phishing kit known as “MIRCBOOT.”

MIRCBOOT Served Up By Turnkey Phishing Platform BulletProofLink

If the name MIRCBOOT sounds familiar, it might be because it was one of the phishing kits that Microsoft recently found when it uncovered a large-scale, well-organized, sophisticated phishing-as-a-service (PhaaS) operation that the criminals called BulletProofLink.

BulletProofLink, a turnkey platform, provides phishing kits, email templates, hosting and other tools that let users customize campaigns and develop their own phishing ploys. They then use the PhaaS platform to help with phishing kits, email templates and the hosting services needed to launch attacks.

MIRCBOOT and the other phishing kits available on BulletProofLink allow cybercriminal wannabes to set up the websites and purchase the domain names they need to launch phishing campaigns, pretending to be, say, employees of a security firm, as in this case.

Source: ThreatPost

Protect your environment from Ransomware attacks.

Educating yourself and your employees with Cyber Security Awareness Training is the best way to start ensuring your business is protected from cyber-attacks.

Learn more about how The Cloud Consultancy can address and manage your businesses Cyber Security headaches. We can now provision boutique, pro-active, IT support services 24/7/365