The Fireflies Meeting Recap That Never Happened: Dual-Brand Impersonation via Amazon SES

The meeting recap arrived on a Tuesday evening.

The header showed the familiar Fireflies.ai mascot.

The body read "Microsoft Teams" in the platform's signature purple.

The subject line referenced an AP/AR account settlement.

And the "View in Teams" button, the one that looked identical to every legitimate meeting notification, pointed to a credential harvesting page that had nothing to do with either brand.

This was dual-brand impersonation: one email wearing two trusted identities at once, delivered through Amazon's own email infrastructure, targeting a financial controller who handles payment authorizations daily.

Get a Demo: See how IRONSCALES catches multi-brand phishing in real time

Two Brands, One Phishing Email

A mid-size U.S. firm received what appeared to be a Fireflies.ai meeting recap notification. The layout was convincing. The header displayed Fireflies' "Fred" mascot loaded from files[.]fireflies[.]ai, the footer included the platform's actual Pleasanton, California office address, and the email linked to real Fireflies.ai Terms of Service and Privacy Policy PDFs.

But the body text told a different story. "Microsoft Teams" appeared in Fireflies' signature purple branding. The call-to-action read "View in Teams" rather than the standard Fireflies recap link. And the subject line, "AP/AR Account Settlement Note," had nothing to do with a meeting recap. It was a financial lure dressed in productivity clothing.

The recipient was a financial controller in the accounting department, a VIP target whose credentials could authorize payments, access bank details, or initiate wire transfers. The subject referenced case numbers and disbursement language specifically designed to trigger urgency in someone who processes financial transactions daily.

The "View in Teams" button resolved to authorzeyadkareem[.]com, a domain registered five months earlier through GoDaddy with fully redacted WHOIS data. The page behind it was a credential harvesting operation. Every other link in the email (the Fireflies.ai meeting viewer, the PDF policy documents, even embedded Adobe links) was legitimate. The attacker buried one malicious link inside a forest of real ones.

Amazon SES: The Attacker's Authenticated Relay

The email came from info@sobiznet[.]com, a domain registered seventeen months earlier through GoDaddy with privacy-redacted registrant data. The sending infrastructure was Amazon Simple Email Service (SES), operating from the EU-West-1 region.

The authentication results told every gateway the email was legitimate:

• SPF: Pass (sender IP 54[.]240[.]3[.]9 is an authorized Amazon SES server)
• DKIM: Pass (dual signatures verified for both sobiznet[.]com and amazonses[.]com)
• DMARC: Best-guess pass (no strict DMARC record, receiver inferred pass)
• SCL (Spam Confidence Level): 1 (low, the email scored as clean)

This is MITRE ATT&CK T1566.002: Phishing: Spearphishing Link combined with T1036.005 (Masquerading: Match Legitimate Name or Location) and T1598.003 (Phishing for Information: Spearphishing Link). The attacker didn't spoof the sending infrastructure. They used a legitimate SES account (either compromised or purpose-built) with properly configured authentication records.

As the Verizon 2025 Data Breach Investigations Report documents, phishing remains the initial access vector in 36% of breaches, and the abuse of legitimate cloud services for delivery continues to grow precisely because it eliminates the authentication failures that Secure Email Gateways (SEGs) depend on.

The structural problem is clear: email authentication protocols validate the sending infrastructure, not the content or intent. When the attacker's infrastructure is a legitimate cloud service, authentication becomes an asset for the attacker, not a defense for the target.

See Your Risk: Calculate how many attacks like this your SEG is missing

The Signal Behind the Dual Mask

This campaign was caught not by authentication checks or URL blocklists, but by converging behavioral signals.

IRONSCALES Adaptive AI flagged the message based on three indicators:

• Malicious URL detection: The authorzeyadkareem[.]com credential harvesting domain was identified through real-time URL analysis. The domain's age, hosting infrastructure, and behavioral patterns matched known credential harvesting operations.
• First-time sender anomaly: info@sobiznet[.]com had never sent email to this recipient or anyone else in the organization. A first-time sender combining a financial subject line with a VIP recipient in accounting triggered elevated scrutiny.
• Community intelligence: The IRONSCALES community network of over 35,000 security professionals had already identified similar SES-delivered Fireflies impersonation patterns across other organizations, providing federation-level confirmation.

Four affected mailboxes were quarantined before any recipient engaged with the credential harvesting link.

What makes dual-brand impersonation particularly effective is how it distributes trust. A recipient who notices the Fireflies.ai branding might trust the email because they recognize the platform. A recipient who notices the Microsoft Teams language might trust it because Teams is their daily collaboration tool. The attacker doesn't need both brands to be convincing. They only need one to lower the recipient's guard enough to click.

What Defenders Should Take From This

Three patterns from this campaign matter for security teams:

1. Dual-brand impersonation defeats single-brand detection rules. If your email security only flags emails impersonating one brand at a time, campaigns that blend two trusted identities can slip through. Detection needs to evaluate behavioral coherence: does the sender infrastructure match the brand identity match the content narrative?
2. Legitimate cloud email services are attack infrastructure. Amazon SES, SendGrid, Mailchimp, ActiveCampaign. Any service that sends authenticated email on behalf of customers can be weaponized. The FBI's 2024 Internet Crime Report documented $2.7 billion in phishing and BEC losses, with cloud service abuse increasingly cited as a delivery mechanism.
3. Embedding real vendor assets increases believability. This email included real Fireflies.ai images, real PDF links, real tracking pixels, and real meeting viewer URLs. The one malicious link was hidden among dozens of legitimate ones, a technique that defeats both automated scanning and human review when recipients are moving fast.

Indicators of Compromise