Key Points
- Threat actors sent approximately 67k callback messages across the first three weeks of March using genuine Amazon password-recovery notifications
- Campaign exploits legitimate Amazon SES infrastructure with valid DKIM authentication
- Forwarding chain through Proton and Microsoft 365 SRS amplified single message to thousands of recipients
Campaign Overview
In March 2026, the Mimecast Threat Research team identified a callback phishing campaign that weaponized Amazon's own password-recovery notification system. Unlike traditional phishing that relies on lookalike domains or link-based attacks, this campaign leveraged legitimate Amazon infrastructure to deliver high-trust social engineering messages at high speed. Threat actors controlled an Amazon account used to trigger password-recovery notifications and injected malicious content including instructions to callback phone number into the username fields that appear in the notification template. The result: messages pass all authentication checks and display as genuine Amazon communications.
The Lure: Engineered Urgency
Recipients received what appeared to be a legitimate alert indicating someone had requested a password reset on their Amazon account. Rather than embedding a malicious link, the message created urgency around a phone number, instructing recipients to call if they had not requested the reset.
This callback pattern deliberately shifts the attack off email security controls and URL reputation systems onto voice channels, where verification is harder and impostors can adapt their approach in real time. When paired with an authenticated Amazon template, the likelihood of recipient trust increases significantly.
Please click HERE to read the entire article. We welcome your questions; please ask them by posting a comment below.
Thank you for reading,
Toby
