Threat Research

Phishing at Cloud Scale: How AWS is Abused for Credential Theft

Cofense
Phishing at Cloud Scale: How AWS is Abused for Credential Theft

Threat actors are abusing Amazon Web Services—notably Amazon S3, Amazon SES, and AWS Amplify—to host credential-phishing pages and to send obfuscated phishing emails that leverage trusted AWS domains. These capabilities, combined with easy provisioning, free tiers, and weak or misconfigured IAM and logging, enable scalable campaigns that evade some traditional email security controls and complicate takedown and forensics. #AmazonS3 #AmazonSES

Keypoints

  • Attackers host phishing pages on misconfigured or public Amazon S3 buckets and on AWS Amplify-hosted sites to mimic legitimate login portals (e.g., Microsoft, Zoom).
  • Compromised or abused Amazon SES accounts are used to send phishing emails with click-tracking links that redirect through awstrack[.]me to hide final destinations.
  • The scalability and ease of provisioning AWS services let threat actors rapidly deploy large-scale phishing infrastructure with minimal cost or technical overhead.
  • AWS URL and domain trust (e.g., s3..amazonaws.com, awstrack[.]me, amplifyapp[.]com) help phishing campaigns bypass some Secure Email Gateways and email security filters.
  • Weak IAM configurations, public bucket misconfigurations, and insufficient monitoring/logging allow attackers to operate undetected and hinder forensic analysis.
  • AWS provides mitigations (GuardDuty, abuse reporting, best-practice guidance), but gaps remain that low-skill actors can still exploit.

MITRE Techniques

  • [T1583.006 ] Acquire Infrastructure: Cloud Services – Adversaries provision and use AWS resources (S3, SES, Amplify) to host and scale phishing infrastructure (‘threat actors abuse AWS services such as S3 buckets, SES, and Amplify to host and distribute malicious content’).
  • [T1078 ] Valid Accounts – Use of compromised or weakly configured SES accounts to send phishing emails from legitimate-seeming sources (‘compromised SES accounts to send phishing emails’).
  • [T1566.002 ] Phishing: Spearphishing Link – Attackers send emails with links rewritten by SES click-tracking (awstrack[.]me) to obscure final destinations and direct victims to credential-harvesting sites (‘awstrack[.]me URLs hides the final URL destination making it difficult for users, security tools, or filters to identify where the link ultimately leads’).
  • [T1036 ] Masquerading – Abuse of trusted AWS domains and service URLs to make malicious content appear legitimate and bypass detection (‘AWS offers threat actors a cloak of legitimacy, bypassing many traditional email based security controls’).
  • [T1204 ] User Execution – Phishing pages crafted to mimic legitimate login portals induce users to enter credentials on attacker-controlled sites (‘phishing pages mimicking legitimate services (e.g., Microsoft login pages)’).

Indicators of Compromise

  • [Domain ] Hosting and tracking domains used in campaigns – awstrack[.]me (SES tracking/redirect domain used to hide final URLs), main[.]d3hhbrxwf4lu41[.]amplifyapp[.]com (example Amplify-hosted phishing site).
  • [URL pattern ] AWS service URL patterns abused for phishing – s3[.][.]amazonaws[.]com (S3-hosted phishing pages), [.]r[.][.]awstrack[.]me (SES click-tracking redirect pattern).
  • [Email address ] Reporting/contact addresses referenced – trustandsafety@support[.]aws[.]com, stop-spoofing@amazon[.]com (AWS abuse/contact endpoints noted in mitigation guidance).

Read more: https://cofense.com/blog/phishing-at-cloud-scale-how-aws-is-abused-for-credential-theft