Threat actors are abusing web services from Amazon like Simple Storage Service (S3) buckets, Amazon Simple Email Service (SES), and Amazon Web Service (AWS) Amplify to launch credential phishing attacks due to their trusted infrastructure, scalability, and ease of abuse. AWS offers threat actors a cloak of legitimacy, bypassing many traditional email based security controls like Secure Email Gateways (SEGs) and other email security technologies, amplifying the risk in today’s connected digital landscape. This report outlines how AWS is abused, supported by examples and phishing trends from June 2021 to December 2025.
Key Points
- Threat actors abuse AWS services such as S3 buckets, SES, and Amplify to host and distribute malicious content, capitalizing on the platform's trusted infrastructure to deploy deceptive domains that mimic legitimate sources, therefore evading detection and enhancing phishing credibility.
- The elastic nature of AWS services enables attackers to rapidly spin up and deploy large-scale phishing infrastructure without significant upfront investment or hardware limitations, allowing campaigns to target millions of users efficiently before being taken down.
- AWS's user-friendly APIs, free tier, with minimal signup verifications allows even unskilled attackers to quickly establish a fraudulent digital environment. Threat actors can also use automated scripts and temporary resources for instant setups, and takedowns of phishing platforms, which makes forensics analysis difficult.
How Threat Actors Abuse These Services as Phishing Vectors
Figure 1 illustrates the trend of using AWS S3 for phishing attacks from the second half of 2021 to the second half of 2025, showing notable fluctuations with significant peaks in early 2023 and late 2025. AWS SES and AWS Amplify remain relatively low yet stable for use in phishing attacks, with a small increase and peak around late 2024 to early 2025. Overall, the chart clearly highlights the ongoing abuse of Amazon Web Services by threat actors.
-is-Abused-for-Credential-Theft_Figure1.PNG "Phishing-at-Cloud-Scale-How-Amazon-Web-Services-(AWS)-is-Abused-for-Credential-Theft_Figure1.PNG")
Figure 2: Phishing incidents abusing different Amazon Web Services from the second half (H2) of 2021 to the second half of 2025.
Amazon S3 Buckets
- Amazon’s S3 buckets function as an object storage service used for hosting static websites, storing data lakes (for big data analytics), and retrieving files and data on a large scale. Examples include static website content (HTML, CSS, JavaScript), logs and event data (e.g., application logs, server access records, or event streams), as well as application data such as configuration files, user-generated content, and software binaries. S3 buckets have an Identity Access Management (IAM) based access control, server-side encryption with customer-provided keys (SSE-C), versioning, lifecycle policies, public/private bucket settings, and integration with AWS services. But due to reported misconfigurations, overly permissive or even publicly accessible buckets often allow easy setup of phishing pages.
Threat actors abuse this service because its domain (s3[.]<region>[.]amazonaws[.]com) is typically trusted so it can bypass some email security technologies and trick unsuspecting recipients.
Tactic Techniques and Procedures (TTPs) Used - Phishing Page Hosting
- The TTP that the Cofense Intelligence team most frequently observed is threat actors abusing S3 buckets by creating phishing pages mimicking legitimate services (e.g., Microsoft login pages), such as those seen in Figure 2, and storing them in misconfigured, publicly accessible S3 buckets before providing links to the pages via phishing emails.
-is-Abused-for-Credential-Theft_Figure2.PNG "Phishing-at-Cloud-Scale-How-Amazon-Web-Services-(AWS)-is-Abused-for-Credential-Theft_Figure2.PNG")
Figure 3: A spoofed Microsoft OneDrive login page hosted on an AWS S3 bucket.
AWS Simple Email Service
Amazon SES uses the awstrack[.]me domain to track user interactions with emails, such as clicked links, enabling attackers to monitor victim engagement in their phishing campaigns. Threat actors also use compromised SES accounts to send phishing emails with links that mask a redirect to a fake login page, leveraging the trusted AWS domain <random generated-string>[.]r[.]<region>[.]awstrack[.]me to slip past email security controls and inattentive users. When AWS SES open tracking is enabled, the random string seen in the subdomain prefix in awstrack[.]me URLs (as seen in Figure 3) are automatically and randomly generated by AWS for uniqueness and tracking purposes per message or campaign.
These compromised Amazon SES accounts are often the result of weak or poorly configured IAM settings. Additionally, insufficient activity logging and monitoring within AWS environments heightens the risk, as organizations may fail to promptly identify malicious actions. For instance, an attacker using a compromised SES account to distribute phishing emails could operate undetected for extended periods if monitoring is absent, amplifying the attack’s reach, impact, and potential damage to an organization’s reputation.
TTP Used - Phishing Lures via Tracking Links
- After threat actors successfully gain access to a compromised SES account, they will then enable the “click tracking” option on the SES console. Once click tracking is enabled, SES automatically scans and rewrites or modifies every hyperlink in the emails sent to redirect through awstrack[.]me.
- Figure 3 shows how awstrack[.]me URLs hides the final URL destination making it difficult for users, security tools, or filters to identify where the link ultimately leads. This obfuscation technique helps attackers conceal credential phishing sites or malware downloads behind a trusted AWS tracking domain.
-is-Abused-for-Credential-Theft_Figure3.PNG "Phishing-at-Cloud-Scale-How-Amazon-Web-Services-(AWS)-is-Abused-for-Credential-Theft_Figure3.PNG")
Figure 4: Sample phishing email using AWS SES domain for redirection and obfuscation.
TTP Used – Phishing Page Hosting
- AWS SES URLs are often used to host phishing pages that mimic legitimate AWS login portals, tricking users into submitting their credentials on deceptive sites controlled by attackers. These hosted pages exploit AWS's trusted infrastructure to appear authentic, increasing the success rate of credential theft.
-is-Abused-for-Credential-Theft_Figure4.PNG "Phishing-at-Cloud-Scale-How-Amazon-Web-Services-(AWS)-is-Abused-for-Credential-Theft_Figure4.PNG")
Figure 4: Microsoft Teams spoofing page hosted on AWS SES.
AWS Amplify
AWS Amplify is a development platform within AWS designed to simplify building, deploying, and managing full-stack web and mobile applications. It eases application rollout with pre-built backend environments, which are popular with developers. As it's a user-friendly platform on the free tier, it allows even novice attackers to facilitate quick-deploy hosting of malicious infrastructure. Amplify can also provide a code-first, cloud-native development experience that automates the provisioning and management of AWS resources (e.g., S3 buckets, CloudFront distributions, Cognito user pools) in the cloud. Some features are serverless hosting, authentication integration, scalability, Continuous Integration and Continuous Delivery/Deployment (CI/CD) pipelines plus adding a custom domain to an AWS Amplify hosted web application instead of the default/basic domain that Amplify provides (refer to sample Amplify domain as seen in Figure 5 main[.]d3hhbrxwf4lu41[.]amplifyapp[.]com).
TTP Used: Hosting Phishing Pages
Amplify Hosting, which pushes static web applications to CloudFront, could be abused to host phishing pages mimicking legitimate login portals or web forms.
In the sample below, the threat actor published a fake Zoom login page via AWS Amplify (with its trusted URL hXXps[://] <custom Git repository branch-name (e.g. main, dev or staging)>[.]<aws unique app-id system-generated string> [.]amplifyapp[.]com).
-is-Abused-for-Credential-Theft_Figure5.PNG "Phishing-at-Cloud-Scale-How-Amazon-Web-Services-(AWS)-is-Abused-for-Credential-Theft_Figure5.PNG")
Figure 5: A credential phishing page spoofing Zoom built using AWS Amplify.
Conclusion
This report details the continued trend of threat actors exploiting AWS services like S3 buckets for hosting phishing pages, SES for sending fraudulent emails with awstrack[.]me tracking links that redirect to credential-harvesting sites and Amplify for deploying convincing phishing sites on trusted domains. Although Amazon has taken steps to prevent the abuse of its services, several of which are listed in the following section, there are still large gaps that threat actors of even minimal skill level can exploit.
AWS’s Measures to Combat Abuse and Misuse for Credential Phishing
- Despite certain platform characteristics that may be exploited, AWS has implemented various advanced security and monitoring tools designed to detect and mitigate the abuse of its services, particularly for credential phishing.
- Focusing on proactive detection using Amazon’s GuardDuty - a machine learning-powered threat detection service, it continuously monitors AWS accounts, workloads, and data stored in services like S3 for malicious activity, including credential phishing attempts.
- It is also recommended to check out Amazon’s page devoted to the best security practices of S3 Buckets.
- AWS also maintains a dedicated Trust and Safety team that investigates reports of abuse, including phishing, submitted via the AWS abuse form or email addresses like trustandsafety@support[.]aws[.]com and stop-spoofing@amazon[.]com.
At Cofense, we are committed to helping organizations defend against today’s most advanced phishing attacks with speed, accuracy, and efficiency. Schedule a demo today to learn more.