In this phishing attack, the attacker poses as Amazon Web Services (AWS) and emails the target regarding a possible credit for their AWS account. The message claims that the recipient may be eligible for a $300 AWS credit and invites them to click the included link to apply. To increase the appearance of legitimacy, the perpetrator sets the sender display name as "Amazon Services" and convincingly incorporates AWS branding into the email content. They even go so far as to include AWS' boilerplate disclaimer that warns recipients against clicking links in suspicious emails. If the target clicks the "Apply for $300 AWS Credit" button, they will be redirected to a page designed to steal sensitive information, such as login credentials or payment details. This attack highlights the sophisticated tactics employed by threat actors to exploit the trust associated with well-known brands like AWS. By mimicking AWS's branding and offering an attractive incentive, the attacker seeks to compel recipients to click on the malicious link and provide sensitive information.

Older, legacy email security tools struggle to accurately identify this email as an attack because it contains legitimate-looking content, is sent from an unclassified domain that is unlikely to be listed in threat intelligence databases, and includes some legitimate links. Modern, AI-powered email security solutions detect anomalies in the content and the fact that the sender uses an unregistered domain from which the recipient has not received emails in the past to mark this email as an attack correctly.

Status Bar Dots
May 8th Screenshot

Phishing email with legitimate-looking content.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate-Looking Content: The email uses professional language and branding that mimics official AWS communication, making it harder for content-based filters to detect anomalies. 
  • Unclassified Domain: The sending domain "best9game[.]com" is not registered, which means it may not be listed in threat intelligence databases utilized by legacy systems. 
  • Legitimate Links Included: The email incorporates real links to Amazon's websites, which lends it a veneer of authenticity and allows it to bypass simple link verification checks.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Anomalies: The promise of a $300 AWS credit with an instruction to click a link hosted at https://rb[.]gy is unusual and flagged by Abnormal's sophisticated content analysis engine.
  • Reputation Analysis: The newly-created and unregistered outbound domain "best9game[.]com" is suspicious and contextually analyzed for dubious activity, raising alerts within Abnormal's systems.
  • Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal's platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Masked Phishing Link
Fake Website


Fake Payment

Impersonated Party


Impersonated Brands

Amazon Web Services

See How Abnormal Stops Emerging Attacks

See a Demo