A phishing attack targeting AWS users was discovered involving a public AWS Systems Manager Automation Document.
The attack used a crafted URL that resembled a legitimate AWS Console link to trick users.
By clicking the link, users unknowingly executed a malicious SSM document, leading to unauthorized access, data exfiltration, and malware deployment.
Preventative measures include increasing awareness, verifying SSM document owners, implementing enhanced warnings in the AWS Console, and refining permission settings.