Phishing at Cloud Scale: How AWS is Abused for Credential Theft

This report analyzes how threat actors exploit AWS services—notably S3 buckets, SES (awstrack.me tracking links), and Amplify—to host and disseminate large-scale credential-phishing campaigns, outlines observed TTPs and example phishing pages from 2021–2025, highlights the abuse of trusted AWS infrastructure to evade email security controls, and summarizes AWS and vendor mitigation recommendations.