Feb 26: Check Point Research has revealed a large-scale phishing campaign in which attackers are misusing legitimate software-as-a-service (SaaS) platforms to deliver phone-based scams. Unlike traditional phishing, this campaign leverages the native functionality of trusted enterprise platforms to create emails that appear authentic, bypassing conventional detection systems and inheriting the reputation of well-known brands.
The campaign generated approximately 133,260 phishing emails, impacting over 20,000 enterprises globally, and marks a strategic shift in attack methods, where the abuse of platform trust replaces the need for compromised infrastructure or malicious links.
Key Findings:
-
Attackers exploited SaaS platforms including Microsoft, Zoom, Amazon, PayPal, YouTube, and Malwarebytes to craft emails resembling legitimate service notifications.
-
Campaigns directed recipients to call attacker-controlled phone numbers, bypassing link-based security checks.
-
Abuse methods included:
-
Exploiting SaaS email generation via user-controlled fields to create legitimate-looking scam emails.
-
Leveraging Microsoft notification workflows (account, subscription, Entra ID, Power BI) to embed fraudulent messages.
-
Using Amazon Business invitation workflows to insert scam content directly into legitimate invitations.
-
Industries and Regions Impacted:
-
Top affected sectors: Technology & SaaS (26.8%), Manufacturing (21.4%), Education (12.1%)
-
Geographic distribution: United States (66.9%), Europe (17.8%), Asia-Pacific (9.2%)
Implications:
This campaign highlights a rapidly evolving threat model where trusted platforms themselves are weaponized. Organizations can no longer assume authenticated emails from reputable SaaS providers are inherently safe. Awareness and contextual detection strategies are critical to mitigate risks associated with this new form of social engineering.