chat
expand_more

Webmail Wolves in Cloud Clothing

Phishers abuse AWS app runner to host convincing login pages.

NEW Piotr Thumbnail 1x1 Feb 25

What is the attack?

  • A phishing campaign targets corporate users with an email impersonating a colleague or project manager. The email claims to share a Dropbox project and encourages the recipient to click a “Review Documents” link.

  • This link leads to a fake Webmail login page hosted on an AWS App Runner domain, designed to harvest corporate email credentials.

Why did it get through?

  • Verified Source: Email sent from a domain passing sender authentication checks.

  • Legitimate Hosting: The phishing URL is hosted on AWS App Runner, a fully managed AWS service that allows developers to deploy and scale containerized web applications and APIs without managing infrastructure. Attackers abuse App Runner because It supports anonymous public web hosting with minimal setup.

What is required to solve for this attack?

  • Behavioral Analysis: Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, and URLs as anomalies that enable the detection of novel attacks.

    • Content Analysis and Natural Language Processing: Abnormal understands the email's content, recognizing the urgency and financial implications as indicators of a financial themed attack.