A large-scale phishing campaign has been uncovered, where attackers are exploiting legitimate Software-as-a-Service (SaaS) platforms to deliver phone-based scam lures. This campaign generated approximately 133,260 phishing emails, impacting 20,049 organizations, with the United States being the most targeted region. The attackers are not compromising the platforms themselves but are misusing native functionalities to create emails that appear authentic, leveraging the trust and reputation of well-known brands like Microsoft, Zoom, Amazon, PayPal, YouTube, and Malwarebytes. This trend signifies a strategic shift by attackers to bypass traditional detection methods by using trusted cloud workflows and focusing on phone-based lures, which circumvent URL analysis and sandboxing. Three primary methods of abuse were observed: misuse of legitimate SaaS email generation and redistribution, abuse of Microsoft notification workflows across various products, and exploitation of Amazon Business invitation features. The campaign’s scale and concentration in recent months highlight its effectiveness and scalability as a low-friction, high-return-on-investment strategy. The education and enterprise sectors are noted as being at elevated risk due to high notification volumes and established trust in these platforms. The report concludes that defenders must adapt their strategies, as authenticated, well-branded emails from trusted sources are no longer inherently safe and require contextual analysis to detect abuse.
SaaS Abuse at Scale: Phone-Based Scam Campaign Leveraging Trusted Platforms
Edward Kiledjian
@ekiledjian