TL;DR A phishing email impersonating an AWS invoice notification was delivered through Amazon SES with valid SPF, DKIM, and DMARC authentication. The attached PDF was zero bytes (MD5 d41d8cd98f00b204e9800998ecf8427e, the hash of an empty file), forcing recipients to interact with embedded links instead. Those links routed through awstrack.me redirect infrastructure and included an external Qualtrics survey form. Low personalization and first-time sender status suggest a mass campaign using legitimate cloud infrastructure.
Severity: Medium Invoice-Phishing Credential-Harvesting MITRE: T1566.002
An invoice email that looks like it came from AWS, passes every authentication check, and even includes a PDF attachment should be straightforward to evaluate. Open the attachment, review the charges, move on. But when that PDF is exactly zero bytes, the entire interaction model shifts. The attachment is a prop. The links are the payload.
This message arrived through Amazon SES (a48-193.smtp-out.amazonses[.]com, IP 54.240.48[.]193). SPF passed for amazonses[.]com, DKIM signatures were valid for both aws[.]com and amazonses[.]com, and DMARC passed. The email presented as an invoice notification referencing an account number and invoice ID, styled with the standard AWS billing template including the 410 Terry Ave N, Seattle footer address.
The problem: the attached PDF, named after the invoice ID, contained nothing. Zero bytes. MD5 hash: d41d8cd98f00b204e9800998ecf8427e, which is the universally recognized hash of an empty file.
The Empty Attachment Gambit
A zero-byte PDF serves two purposes in a phishing campaign. First, it evades attachment-based malware scanning. There is no malicious macro, no embedded JavaScript, no exploit code, because there is no content at all. Automated scanners report the file as clean because there is nothing to flag. Second, it forces the recipient to engage with the email's embedded links to find the invoice content they expected from the attachment.
The links in this message are where the real risk lives. Several URLs use aws.amazon[.]com as the visible domain but include long sessionized tokens that are not standard static console URLs. These links route through awstrack[.]me, an AWS-operated click-tracking and redirect service. While awstrack[.]me is legitimately used in AWS communications, its presence in a phishing email means the redirect infrastructure itself is AWS-owned, which complicates blocklist-based detection.
More concerning is an embedded Qualtrics survey link (amazonmr.au1.qualtrics[.]com). Qualtrics forms are commonly used for legitimate feedback collection, but in this context, the form serves as an external data-collection endpoint. Recipients who follow the link expecting to view or dispute an invoice could be prompted for credentials or account details.
The email body showed low personalization: no recipient name, no invoice total, no billing contact. A legitimate AWS invoice notification includes specific dollar amounts and account owner details. The absence of these elements, combined with first-time sender status, positions this as a mass campaign rather than targeted spearphishing.
Hidden tracking assets in the HTML (1px tracking pixels and link-rewrite tokens) confirm engagement monitoring. The attacker is tracking opens and clicks to identify active targets for potential follow-up campaigns.
The use of Amazon SES as the delivery platform is a calculated choice. SES provides high deliverability, valid authentication signatures, and hosting within AWS infrastructure that many organizations allowlist by default. For companies that actually use AWS, an invoice notification from SES looks identical to their real billing emails at the infrastructure level.
See Your Risk: Calculate how many threats your SEG is missing
MITRE ATT&CK Mapping
- Phishing: Spearphishing Link (T1566.002): The email contains multiple links designed to route recipients through redirect infrastructure to external collection endpoints. MITRE Reference
How Adaptive AI Detects Empty-Attachment Invoice Phishing
Static attachment scanning correctly reports zero-byte files as clean, but that verdict is misleading. The absence of a payload in the attachment is itself a signal when combined with link-heavy body content and invoice-themed subject lines.
Themis, the IRONSCALES Adaptive AI, correlates attachment metadata with body content and link behavior. When an invoice email attaches an empty file and pushes the recipient toward external URLs, the pattern triggers a risk elevation that static scanners miss. First-time sender status and low personalization add further weight.
The IRONSCALES community-driven threat intelligence network identifies these campaigns across organizations. When multiple mailboxes receive similar AWS-themed invoice emails with zero-byte attachments, the collective signal drives faster remediation. Research shows that 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways, and cloud-provider impersonation campaigns contribute meaningfully to that volume.
Hardening Recommendations
- Flag zero-byte attachments. Any email with an attachment that is exactly 0 bytes should trigger an automatic alert. This is never legitimate behavior for document delivery.
- Verify invoices at the source. Train finance and operations teams to verify cloud invoices directly through the provider's billing console, never through email links.
- Monitor for AWS tracking redirects in unexpected contexts. Legitimate
awstrack[.]me links appear in AWS communications, but their presence from first-time senders or unfamiliar account contexts is anomalous.
- Evaluate personalization quality. Legitimate invoice emails include account-specific details. Generic invoices missing dollar amounts and billing contacts are strong phishing indicators.
- Block or sandbox external survey links in financial emails. Qualtrics, Google Forms, and similar platforms embedded in invoice-themed emails should be treated as suspicious data-collection vectors.
Indicators of Compromise
| Indicator | Type | Context |
|---|
54.240.48[.]193 | IP | Amazon SES sending IP |
a48-193.smtp-out.amazonses[.]com | Domain | SES mail transfer agent |
d41d8cd98f00b204e9800998ecf8427e | MD5 | Hash of zero-byte PDF attachment |
awstrack[.]me | Domain | AWS click-tracking redirect service |
amazonmr.au1.qualtrics[.]com | Domain | External Qualtrics survey form |
invoicing@aws[.]com | Email | Sender address (from header) |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
