AWS Phishing - Abnormal Security

AWS Phishing

In this attack, attackers are impersonating a notification from Amazon Web Services in order to steal credentials of employees.

Quick Summary

  • Platform: Microsoft Office 365
  • Mailboxes: 15,000 to 50,000
  • Email Security Bypassed: FireEye
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Brand Impersonation

What was the attack?

  • Setup: Due to recent quarantine restrictions, companies have been moving to online collaboration software and cloud-based applications. Despite the benefits of convenience and increased productivity from the use of cloud computing services, user accounts for these services are still vulnerable. Hackers will specifically tailor attacks to impersonate these platforms in order to access sensitive business data.

  • Email Attack: The attack impersonates an automated notification from Amazon Web Services (AWS). The anchor text of the links appear to be credible AWS links. However, the attached hyperlink redirects to a different URL that has a webpage identical to the AWS login page.

  • Payload: Numerous versions of this attack have been seen across different clients, from different sender emails and using different payload links. However, each of the emails of this campaign come from the same IP, hosted by a French VPN. Each of the payload links employed in this attack led to AWS credential phishing websites.
  • Result: If recipients fall victim to this attack, the login credentials for their Amazon Web Services account will be compromised. The sensitive data stored on their account would also be at risk.

Why is this attack effective?

  • Convincing Email and Landing Page: The attack impersonated Amazon Web Services, and the anchor text used in the email body looked like real Amazon links. The landing page contained official images used by the company and appeared exactly like the real login page.
  • Concealed URL: The URL used as the anchor text is different from the hyperlink URL. By hiding the real URL, the user may be unaware that the site they are accessing is not the real AWS page. If the user wasn’t careful with checking the link of the webpage, they could believe it to be authentic.


Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Related content