When the digital world grinds to a halt, many cyber attackers see opportunity. Major internet outages like the current Amazon Web Services (AWS) disruption don’t just stall business, they also open the door for phishing campaigns designed to prey on confusion and urgency. Staying vigilant during these events is crucial to protect your organization and outsmart opportunistic threat actors.
The Outage Fallout: A Recap of the AWS Disruption
Earlier today, October 20, 2025, AWS encountered a significant outage, impacting services across multiple regions. Organizations including Disney+, Reddit, and Canva reported disruptions. While IT and security teams focus on restoring operations, it’s helpful to also be aware of the secondary risks, such as threat actors attempting to take advantage of uncertainty.
Why Outages Can Increase Social Engineering Risks
Large-scale technology failures can create conditions that phishing attackers might attempt to exploit. Here’s why:
- Uncertainty and Concern: During an outage, both employees and customers may be seeking updates. Attackers sometimes send emails with fake updates or solutions, hoping recipients will respond quickly due to concern or confusion.
- Urgency: The desire to restore services can cause people to act before double-checking details. Emails promising quick fixes or patches are common during such events.
- Authority: Messages that appear to come from AWS, your IT department, or trusted vendors may feel especially urgent and credible during an incident.
- Alternative Channels: If normal communication methods are affected, attackers may reach out through other means like text or personal email, making it easier to disguise phishing attempts.
Real-World Examples: What We’ve Seen
This approach isn’t new. Here are two recent incidents where attackers moved quickly following service disruptions:
Case Study 1: Spain & Portugal Power Outage (April 2025)
Following a widespread power outage, threat actors sent phishing emails that looked like official compensation claims from TAP Air Portugal. These emails linked to credential phishing pages aiming to steal personal and payment information. Attackers used compromised WordPress sites to host the fake forms.
Case Study 2: CrowdStrike Global Outage (July 2024)
After an update caused widespread outages for CrowdStrike users, cybercriminals sent phishing emails offering “quick fixes” and solutions. These links led to credential theft portals and, in some cases, malware, showing how quickly attackers can tailor lures to ongoing events.
Attacker TTPs: What to Watch For
During this AWS outage and similar incidents, security teams may encounter a range of tactics designed to trick users:
- Brand Imitation & Lookalike Domains: Attackers can create emails and sites that closely resemble trusted brands, using similar-looking domains.
- Fake Helpdesk or Ticketing Portals: Attackers may send notification emails with links to credential harvesting pages mimicking helpdesk portals.
- QR Code Phishing: Users may be prompted to scan a QR code for “fast updates,” which can route to malicious sites.
- MFA Fatigue: Multiple push authentication requests may be sent in hopes a user will approve one without considering the source.
- Fake Downloads or Guides: Lures that ask users to download and run files, often purporting to be patches or instructions, may actually deliver malware.
Building Your Defense: A Practical Playbook
Preparation and clear processes can greatly mitigate risk. Here are steps to help safeguard your organization:
Technical Controls
- Enforce DMARC, DKIM, and SPF: Ensure authentication protocols are in place for email protection.
- Monitor for Lookalike Domains: Watch for newly registered domains that mimic your company or major partners like AWS.
- Automate SOAR Rules: Flag or quarantine emails referencing major outages or emergency updates.
- Update Blocklists: Consider blocking access to newly registered and suspicious domains.
- Mailbox Rules: Automatically mark or review external emails referencing the outage for closer inspection.
Process and Communication Controls
- Prepared Communication Templates: Use clear, company-approved templates for updates to employees and clients, stating that the company will never request personal credentials or external patch downloads via email.
- Designated Status Page: Guide users to an official company status page for trustworthy information.
- Clear User Guidance: Communicate expected behaviors and warning signs in plain language.
- Role-Based Training: Ensure helpdesk and front-line teams are briefed on likely scams and how to support users who may receive suspicious messages.
Awareness and Defense in Depth Are Your Best Safeguards
Significant outages are a reality of today’s digital services. While attackers may try to exploit these moments, understanding their tactics and proactively preparing your teams can greatly reduce risk. Ensure your incident response plans and communications are up to date and remind employees to be cautious when responding to outage-related messages. Proactive planning is the best way to maintain security and business continuity.
A multi-layered phishing defense program is also vital for catching threats as they emerge. By combining advanced threat detection, user reporting, automated response, and continuous training, your organization can spot and stop phishing attempts before they cause harm, even during chaotic events like a major outage. For a comprehensive approach, solutions like the Cofense Phishing Detection and Response platform are purpose-built to help security teams quickly identify, analyze, and mitigate phishing campaigns in real time. Request a demo today to learn more.