Attackers Use Amazon Web Services Cloud Infrastructure to Create Malicious URLs
Threat actors leverage AWS S3 cloud infrastructure to effectively thwart SEGs like Proofpoint.
What is the attack?
- This is a spear-phishing campaign that is leveraging never-before-seen URLs, and thus unknown to threat intelligence solutions.
- Even days after the attack, only 1 out of 95 VirusTotal engines flag this attack.
- Proofpoint and other threat intelligence solutions missed this attack.
Why did it get through?
- Proofpoint heavily relies on threat intelligence and known indicators of compromise.
- New, previously unseen domains and URLs are easier to spin up by threat actors using phishing kits and cloud infrastructure.
- Signature-based detection fails against novel attack vectors, especially accelerated by Generative AI used by threat actors.
What is required to solve for this attack?
- Abnormal’s Behavioral AI flags never-before-seen senders and URLs as anomalies that enable the detection of novel attacks.
- This pairs well for defense in depth with the Cloud Email Platform (M365’s) Threat Intelligence layer.