AWS Impersonated in Credential Phishing Attack

May 27, 2020

Due to recent quarantine restrictions, companies have moved to online collaboration software and cloud-based applications. Despite the benefits of convenience and increased productivity from the use of cloud computing services, user accounts for these services are still vulnerable. Hackers will specifically tailor attacks to impersonate these platforms in order to access sensitive business data.

In this attack, attackers are impersonating a notification from Amazon Web Services in order to steal the credentials of employees.

Summary of Attack Target

  • Platform: Microsoft Office 365
  • Email Security Bypassed: FireEye
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Brand Impersonation

Overview of the Amazon Web Services Attack

This email impersonates an automated notification from Amazon Web Services (AWS). The anchor text of the links appear to be credible AWS links.

Despite appearing legitimate, the hyperlinks redirect to a different URL that has a webpage identical to the AWS login page but it hosted at, which has no affiliation to Amazon Web Services or the Amazon company.

Multiple versions of this attack have been seen across different clients, using different sender emails and different payload links. However, each of the emails from this campaign originates from the same IP, hosted by a French VPN, and each of the payload links employed in this attack leads to AWS credential phishing websites.

If recipients fall victim to this attack, the login credentials for their Amazon Web Services account will be compromised and the sensitive data stored on their account would also be at risk. For organizations who run on AWS, this could have disastrous consequences.

Why the Amazon Web Services Attack is Effective

The attack impersonates Amazon Web Services, and the anchor text used in the email body looked like real Amazon links. In addition, the landing page contains official images used by the company and appeared exactly like the real login page. By hiding the real URL, the user may be unaware that the site they are accessing is not the real AWS page.

Abnormal detects this attack as malicious due to a variety of factors. The most pertinent one is that DMARC email authentication fails for Amazon, and when combined with the suspicious links, unusual sender behavior, and the content that impersonates a brand, the platform can quickly tell that this email is dangerous.

To see how Abnormal can protect your employees from becoming the next victims of credential phishing, see a demo today.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 1500x1500 Gartner Peer Insights Reviews blog
The Abnormal Security team is committed to providing the best possible solution and support experience to every customer. Here’s what a few of our customers have to say about us.
Read More
B Podcast Engineering 10 07 27 22
In episode 10 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, sits down with Zehan Wang, co-founder of Magic Pony.
Read More
B 1500x1500 Email Attack Insights
Join us for a three-part webinar series about the most serious email-based threats, featuring some of the biggest names in cybersecurity.
Read More
B 07 22 22 Webinar Recap
Credential phishing attacks can lead to loss of revenue, loss of data, and long-term reputational damage. Learn why these attacks are successful and how to block them.
Read More
B 07 19 22 2022 Email Security Trends 1
Our new survey explores the current email threat landscape and what security leaders are doing to stay ahead of increasingly sophisticated attacks.
Read More
B 07 14 22 4types
Understanding the ways cybercriminals execute financial supply chain compromise is key to preventing your organization from falling victim to an attack.
Read More
B 07 07 22 Financial Supply Chain Compromise
Financial supply chain compromise, a subset of business email compromise (BEC), is on the rise. Learn how threat actors launch these sophisticated attacks.
Read More
B 06 15 22 Coats Webinar Recap Blog
Learn why Coats, the global leader in industrial thread manufacturing, skipped the SEG and chose Abnormal Integrated Cloud Email Security (ICES) to protect its workforce from modern email threats.
Read More
B 07 30 22 Q2 2022
We’re dedicated to keeping security professionals informed about the latest email threats. Here are a few of our favorite blog posts from Q2 2022.
Read More
B 06 21 22 Threat Intel blog
Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.
Read More
B 06 7 22 Disentangling ML Pipelines Blog
Learn how explicitly modeling dependencies in a machine learning pipeline can vastly reduce its complexity and make it behave like a tower of Legos: easy to change, and hard to break.
Read More
B 04 07 22 SEG
As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?
Read More