Webmail Wolves in Cloud Clothing

A phishing campaign targets corporate users with an email impersonating a colleague or project manager. The email claims to share a Dropbox project and encourages the recipient to click a “Review Documents” link.

This link leads to a fake Webmail login page hosted on an AWS App Runner domain, designed to harvest corporate email credentials.

Verified Source: Email sent from a domain passing sender authentication checks.

Legitimate Hosting: The phishing URL is hosted on AWS App Runner, a fully managed AWS service that allows developers to deploy and scale containerized web applications and APIs without managing infrastructure. Attackers abuse App Runner because It supports anonymous public web hosting with minimal setup.

Behavioral Analysis: Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, and URLs as anomalies that enable the detection of novel attacks.

• Content Analysis and Natural Language Processing: Abnormal understands the email's content, recognizing the urgency and financial implications as indicators of a financial themed attack.