IT security firm Kaspersky has warned users that a new phishing campaign is using one of its stolen Amazon Simple Email Service (SES) tokens to make emails look legitimate.

In a notice released on Monday, the company said it has seen a dramatic increase in phishing emails designed to steal Office 365 credentials. The notice added that this campaign relies on a phishing research kit called ” Iamtheboss “used in conjunction with another phishing kit known as” MIRCBOOT “.

“The activity can be associated with multiple cybercriminals. Phishing emails typically arrive in the form of “fax notifications” and lure users to fake websites that collect credentials for Microsoft’s online services, “the advisory said. “These emails have different sender addresses including, but not limited to noreply@sm.kaspersky.com. They are sent from multiple websites, including the Amazon Web Services infrastructure.

During investigations, Kaspersky researchers determined that some emails were sent using Amazon’s Simple Messaging Service (SES) and the legitimate SES token. Amazon Simple Email Service (SES) is an email service that allows developers to send emails from any application.

They said this access token was issued to a third-party subcontractor during testing of the 2050.earth website. The site is also hosted in the Amazon infrastructure.

“Upon discovery of these phishing attacks, the SES token was immediately revoked. No server compromises, unauthorized database access or any other malicious activity were found on 2050.earth and related services, ”the notice said.

The advisory encouraged users to exercise caution and vigilance even if the email appears to be from a familiar brand or email address.

MIRCBOOT is a phishing kit recently discovered by researchers at Microsoft as part of a large-scale phishing-as-a-service operation known as BulletProofLink. This follows the software as a service model, which requires attackers to pay an operator to fully develop and deploy large portions or terminate phishing campaigns from bogus login page development, website hosting. and analysis and redistribution of credentials.

Earlier this month, a Russian cybercrime group targeted the financial sector with malware delivered by Microsoft Office macros. The attack used phishing emails to stage the first phase of its attack, using an Excel document that uses a macro.

Last month, hackers spoofed Zix to steal Office 365, Google Workspace, and Microsoft Exchange data. Armorblox security researchers said the attack affected around 75,000 users, with small groups of cross-departmental employees targeted in each customer environment.