Office 365 Phishing Scam Exploits Stolen Amazon SES Tokens

by | November 8, 2021 | Cybersecurity News

The bad guys are targeting Office 365 users yet again, with a phishing scam that spoofs brand name email addresses and abuses stolen access tokens.

Another Office 365 Credential-Stealing Phishing Scam

Researchers uncovered a spike in spear-phishing emails aiming to steal Office 365 usernames and passwords by impersonating big brands, such as Kaspersky.

Kaspersky’s team wrote in a Monday post that they had identified two phishing kits – “Iamtheboss” and “MIRCBOOT” – being used together by several cybercriminal groups to send out bogus fax notifications.

“The phishing e-mails are usually arriving in the form of ‘fax notifications’ and lure users to fake websites collecting credentials for Microsoft online services,” according to the bulletin.

Researchers tracked one particular phishing scam that abuses Amazon’s Simple Email Service (SES), a feature that allows developers to send emails from apps for marketing and mass email communications. The malicious scheme relied on a now-revoked stolen SES token used during the testing of the website called “”

The site is a Kaspersky project and is hosted on the Amazon infrastructure.

“These emails have various sender addresses, including but not limited to They are sent from multiple websites including Amazon Web Services infrastructure,” the team warned. Kaspersky said that the attackers used the stolen token only in a limited capacity.

It remains unclear what other brands are impersonated in the scam or if other SES tokens are involved.

The exploited SES token was immediately revoked after being identified as stolen and leveraged. “The site is also hosted in Amazon infrastructure. Upon discovery of these phishing attacks, the SES token was immediately revoked.”

Fortunately, the theft did not result in any damages. “No server compromise, unauthorized database access, or any other malicious activity was found at and associated services,” the advisory said.

The SES Token Exploit

Scammers frequently target Office 365 credentials in their phishing attacks. For instance, a recent phishing operation targeted customers in the defense sector in the U.S. and Israeli.

The ongoing phishing scheme lends a false sense of legitimacy by identifying the sender as “” in their fake fax notifications.

“These emails have various sender addresses, including but not limited to”

The Bait: Bogus Fax Notifications

The phishers sent malicious emails claiming to be fax notifications to redirect targets to credential-harvesting websites. “The phishing e-mails are usually arriving in the form of ‘Fax notifications’ and lure users to fake websites collecting credentials for Microsoft online services,” Kaspersky noted.

This is how a sample phishing email looks:

The phishing scam sent fake fax notifications.
Sample of phishing email. Credit: Kaspersky.

Researchers found that the campaign uses a combination of two phishing kits, known as “Iamtheboss” and “MIRCBOOT”.

Phishing Kit Served Up By BulletProofLink Phishing Platform

The “MIRCBOOT” name might sound familiar because it was one of the phishing kits recently discovered by Microsoft when it uncovered a massive PhaaS (phishing-as-a-service) operation that the cybercriminals behind it named BulletProofLink.

BulletProofLink is a turnkey phishing platform that offers phishing kits, fraudulent email templates, hosting, and several other tools to allow users to tailor and develop their own phishing operations. The platform’s clients then use it to help with all the services and tools needed to carry out a phishing attack.

MIRCBOOT and others of its kind are available on the PhaaS platform and allow aspiring cybercrooks to set up malicious websites and purchase the domain names.

ATTACK Simulator’s Security Awareness Training program will help you enrich your employees’ cybersecurity knowledge with up-to-date security best practices to keep your company safe from scammers and avoid potentially irreparable damage.

Do you think your employees are ready for a phishing attack? Then, put them to the test with our free security awareness training trial and see how well they’d do!


Threatpost Office 365 Phishing Campaign Abuses Stolen Amazon SES Token

BleepingComputer Kaspersky’s stolen Amazon SES token used in Office 365 phishing


Photo by Wynand van Poortvliet on Unsplash

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.