The bad guys are targeting Office 365 users yet again, with a phishing scam that spoofs brand name email addresses and abuses stolen access tokens.
Another Office 365 Credential-Stealing Phishing Scam
Researchers uncovered a spike in spear-phishing emails aiming to steal Office 365 usernames and passwords by impersonating big brands, such as Kaspersky.
Kaspersky’s team wrote in a Monday post that they had identified two phishing kits – “Iamtheboss” and “MIRCBOOT” – being used together by several cybercriminal groups to send out bogus fax notifications.
“The phishing e-mails are usually arriving in the form of ‘fax notifications’ and lure users to fake websites collecting credentials for Microsoft online services,” according to the bulletin.
Researchers tracked one particular phishing scam that abuses Amazon’s Simple Email Service (SES), a feature that allows developers to send emails from apps for marketing and mass email communications. The malicious scheme relied on a now-revoked stolen SES token used during the testing of the website called “2050.earth.”
The site is a Kaspersky project and is hosted on the Amazon infrastructure.
“These emails have various sender addresses, including but not limited to firstname.lastname@example.org. They are sent from multiple websites including Amazon Web Services infrastructure,” the team warned. Kaspersky said that the attackers used the stolen token only in a limited capacity.
It remains unclear what other brands are impersonated in the scam or if other SES tokens are involved.
The exploited SES token was immediately revoked after being identified as stolen and leveraged. “The site is also hosted in Amazon infrastructure. Upon discovery of these phishing attacks, the SES token was immediately revoked.”
Fortunately, the theft did not result in any damages. “No server compromise, unauthorized database access, or any other malicious activity was found at 2050.earth and associated services,” the advisory said.
The SES Token Exploit
Scammers frequently target Office 365 credentials in their phishing attacks. For instance, a recent phishing operation targeted customers in the defense sector in the U.S. and Israeli.
The ongoing phishing scheme lends a false sense of legitimacy by identifying the sender as “sm.kaspersky.com” in their fake fax notifications.
“These emails have various sender addresses, including but not limited to email@example.com.”
The Bait: Bogus Fax Notifications
The phishers sent malicious emails claiming to be fax notifications to redirect targets to credential-harvesting websites. “The phishing e-mails are usually arriving in the form of ‘Fax notifications’ and lure users to fake websites collecting credentials for Microsoft online services,” Kaspersky noted.
This is how a sample phishing email looks:
Researchers found that the campaign uses a combination of two phishing kits, known as “Iamtheboss” and “MIRCBOOT”.
Phishing Kit Served Up By BulletProofLink Phishing Platform
The “MIRCBOOT” name might sound familiar because it was one of the phishing kits recently discovered by Microsoft when it uncovered a massive PhaaS (phishing-as-a-service) operation that the cybercriminals behind it named BulletProofLink.
BulletProofLink is a turnkey phishing platform that offers phishing kits, fraudulent email templates, hosting, and several other tools to allow users to tailor and develop their own phishing operations. The platform’s clients then use it to help with all the services and tools needed to carry out a phishing attack.
MIRCBOOT and others of its kind are available on the PhaaS platform and allow aspiring cybercrooks to set up malicious websites and purchase the domain names.
ATTACK Simulator’s Security Awareness Training program will help you enrich your employees’ cybersecurity knowledge with up-to-date security best practices to keep your company safe from scammers and avoid potentially irreparable damage.
BleepingComputer Kaspersky’s stolen Amazon SES token used in Office 365 phishing