Security News > 2021 > November > Kaspersky's stolen Amazon SES token used in Office 365 phishing
Kaspersky said today that a legitimate Amazon Simple Email Service token issued to a third-party contractor was recently used by threat actors behind a spear-phishing campaign targeting Office 365 users.
Amazon SES is a scalable email service designed to allow developers to send emails from any app for various use cases, including marketing and mass email communications.
Kaspersky security experts linked the phishing attempts to multiple cybercriminals who used two phishing kits in this campaign, one known as Iamtheboss and another named MIRCBOOT. No servers compromised.
"The site is also hosted in Amazon infrastructure. Upon discovery of these phishing attacks, the SES token was immediately revoked."
The threat actors did not attempt to impersonate Kaspersky and decided to camouflage their phishing messages as missed fax notifications, redirecting potential victims to phishing landing pages designed to harvest their Microsoft credentials.
They used an official Kaspersky email and sent the emails from Amazon Web Services infrastructure, which likely helped them reach their targets mailboxes by easily evading most Secure Email Gateway protections.