Summary

On 1^st November 2021 Kaspersky release and advisory mentioning that their experts were able to found out some e-mails were sent using Amazon’s Simple Email Service (SES) and legitimate SES token for the phishing activity.

“This access token was issued to a third-party contractor during the testing of the website 2050.earth. The site is also hosted in Amazon infrastructure. Upon discovery of these phishing attacks, the SES token was immediately revoked. No server compromise, unauthorized database access or any other malicious activity was found at 2050.earth and associated services.”

Kaspersky name this phishing kit “Iamtheboss” this is used in conjunction with another phishing kit known as “MIRCBOOT”. This spear phishing campaign is targeting on stealing O365 credential and may be a activity of multiple cybercriminals.

These mails come from different mail address such as [email protected]. It is sent under the subject “Fax notifications” which then direct the user to a fake website collecting credentials for Microsoft online services.

Impact

Compromise user’s credentials

Remediate

Users should be vigilant and cautious when sensitive information like credentials are ask in the form of messages from different email address. Find the detailed post published by Kaspersky on how-to on checking email headers to ensure senders’ identity.

Reference

• https://support.kaspersky.com/general/vulnerability.aspx?el=12430#01112021_phishing