Using a legitimate service like AWS to create phishing pages allows attackers to bypass traditional security scanners, Avanan says.
Cyber criminals prefer to use legitimate sites and services in their phishing scams, not just to trick unsuspecting victims, but to sneak past security scanners that would otherwise block a suspicious site’s traffic. In a report released ThursdayEmail security provider Avanan describes a new phishing campaign that takes advantage of: Amazon Web Services.
As one of the most popular cloud storage and hosting products, AWS is a tempting target for cybercriminals, especially since it allows anyone to create and host web pages. The service allows you to design and host a website using WordPress or your own custom code. But just as legitimate users can use AWS, so can malicious attackers.
How attackers use AWS

In the system analyzed by Avanan, cyber criminals have built phishing pages on AWS. By sending a link to such a page via a phishing email, the scammers can bypass the security tools and convince the recipient to share credentials for sensitive accounts.
In one example, the attacker uses a phishing page created and hosted via AWS to warn people about the alleged password expiration. The phishing email, which pretends to be Microsoft, complete with a Microsoft logo, claims that the user’s password expires today and asks them to click a button to keep the same password.
Clicking the button will take the user to the phishing page set up with a fake login prompt. The page even includes the victim’s company domain name and fills most of the fields. The user is only asked to enter their password, which is then collected by the people behind the attack.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Why this phishing attack works
This type of scam often succeeds because the attacker manages to breach the usual security measures. Traditional email security tools use static allow and block lists to determine if the content is legitimate by analyzing the linked website. As a prominent website and service, Amazon Web Services is always on the Allow list, which causes the phishing email to reach the user’s inbox.
Avanan said it has notified AWS of its findings and will provide further updates with additional details.
How to avoid falling victim to this scam
To protect your organization and employees from these types of phishing attacks, Avanan offers the following tips:
- Always hover over a link in an email to see the destination URL before clicking it
- Always research the content of the email before taking any action
- Encourage employees to contact the helpdesk or IT support if they have any doubts about the legality of an email