Office 365 Phishing Campaign Uses Kaspersky’s Amazon SES Token

It’s a legitimate access token, stolen from a third-party contractor, that lets the attackers send phishing emails from kaspersky.com email addresses.

A surge in spearphishing emails designed to steal Office 365 credentials were rigged to look like they came from a Kaspersky email address.

In spite of coming from sender addresses such as noreply@sm.kaspersky.com, nobody at Kaspersky sent the phishing emails, the security company said in an advisory issued on Monday. Rather, the emails were sent with Kasperskyi’s legitimate, albeit stolen, Amazon Simple Email Service (SES) token.

Amazon SES is a scalable email service that lets developers send mail from any app, including in marketing or mass email communications.

“This access token was issued to a third party contractor during the testing of the website 2050.earth,” according to Kaspersky’s advisory. The 2050.earth site is a Kaspersky project that features an interactive map illustrating what futurologists and others think will happen to the planet in coming decades.

Kaspersky said that the site is hosted on Amazon infrastructure.

After spotting what it called “a huge uptick” in recent Office 365 credential spearphishing attacks – attacks that may be coming from multiple threat actors – the SES token

Read More: https://threatpost.com/office-365-phishing-campaign-kasperskys-amazon-ses-token/175915/