Threat actors are using the legitimacy of Amazon Web Services (AWS) to create phishing websites and lure customers into unknowingly coughing up credentials, according to a new report by Avanan.

“If you’re using a site on the Internet, there’s a good chance that AWS is involved in some fashion,” wrote Jeremy Fuchs, researcher and analyst at Avanan.

Internet users can use AWS to build and host web pages for free. Even with little-to-no coding experience, hackers can easily create phishing pages off the platform, which is one of the most popular cloud storage and hosting solutions, he noted.

The report claims that recently there has been a significant increase in attacks using legitimate services, such as AWS, “as a piggyback to land in the inbox” — a technique coined “The Static Expressway.”

The vulnerable user will receive a standard password expiration email from their company, hosted by an AWS app legit domain. Once the URL is clicked, the user will see their company’s domain filled in at the URL bar, their company logo, and email pre-populated.

It’s an “easy way into the inbox, plus a low lift from end-users,” wrote Fuchs. All the victim has to do is enter their password. Once entered, their now-stolen credentials are in the hands of the hacker. 

This technique is usually successful for hackers because no static solution will block something from AWS since the phishing email comes from its legitimate domain. Allow/Block lists are static email services that determine if email content is safe or potentially dangerous. 

“Essentially, these services will determine whether a website is safe or not. Amazon Web Services will always be marked as safe,” wrote Fuchs. “It’s too big and too prevalent to block. We’ve seen this example with Google, QuickBooks, PayPal, and much more.”

Fuchs provided a few tips to help IT and security professionals combat these phishing schemes. Deploying artificial intelligence (AI) that looks at more than one factor can determine the nature of an email, according to Fuchs. It’s also important to always look at the content of an email and hover over any links to see the destination URL before proceeding. 

End-users can also ask IT if emails are legitimate or not, Fuchs said. 

AWS phishing campaigns are successful because its domains are immune to fixed, or static, solutions — “Don’t solely rely on block or allow lists, especially as hackers continue to use legitimate sites to their advantage,” said Fuchs. “Rather use advanced email security that can understand the nature of the email and determine its intent.”