An invoice email that looks like it came from AWS, passes every authentication check, and even includes a PDF attachment should be straightforward to evaluate. Open the attachment, review the charges, move on. But when that PDF is exactly zero bytes, the entire interaction model shifts. The attachment is a prop. The links are the payload.
This message arrived through Amazon SES (a48-193.smtp-out.amazonses[.]com, IP 54.240.48[.]193). SPF passed for amazonses[.]com, DKIM signatures were valid for both aws[.]com and amazonses[.]com, and DMARC passed. The email presented as an invoice notification referencing an account number and invoice ID, styled with the standard AWS billing template including the 410 Terry Ave N, Seattle footer address.
The problem: the attached PDF, named after the invoice ID, contained nothing. Zero bytes. MD5 hash: d41d8cd98f00b204e9800998ecf8427e, which is the universally recognized hash of an empty file.
A zero-byte PDF serves two purposes in a phishing campaign. First, it evades attachment-based malware scanning. There is no malicious macro, no embedded JavaScript, no exploit code, because there is no content at all. Automated scanners report the file as clean because there is nothing to flag. Second, it forces the recipient to engage with the email's embedded links to find the invoice content they expected from the attachment.
The links in this message are where the real risk lives. Several URLs use aws.amazon[.]com as the visible domain but include long sessionized tokens that are not standard static console URLs. These links route through awstrack[.]me, an AWS-operated click-tracking and redirect service. While awstrack[.]me is legitimately used in AWS communications, its presence in a phishing email means the redirect infrastructure itself is AWS-owned, which complicates blocklist-based detection.
More concerning is an embedded Qualtrics survey link (amazonmr.au1.qualtrics[.]com). Qualtrics forms are commonly used for legitimate feedback collection, but in this context, the form serves as an external data-collection endpoint. Recipients who follow the link expecting to view or dispute an invoice could be prompted for credentials or account details.
The email body showed low personalization: no recipient name, no invoice total, no billing contact. A legitimate AWS invoice notification includes specific dollar amounts and account owner details. The absence of these elements, combined with first-time sender status, positions this as a mass campaign rather than targeted spearphishing.
Hidden tracking assets in the HTML (1px tracking pixels and link-rewrite tokens) confirm engagement monitoring. The attacker is tracking opens and clicks to identify active targets for potential follow-up campaigns.
The use of Amazon SES as the delivery platform is a calculated choice. SES provides high deliverability, valid authentication signatures, and hosting within AWS infrastructure that many organizations allowlist by default. For companies that actually use AWS, an invoice notification from SES looks identical to their real billing emails at the infrastructure level.
See Your Risk: Calculate how many threats your SEG is missing
Static attachment scanning correctly reports zero-byte files as clean, but that verdict is misleading. The absence of a payload in the attachment is itself a signal when combined with link-heavy body content and invoice-themed subject lines.
Themis, the IRONSCALES Adaptive AI, correlates attachment metadata with body content and link behavior. When an invoice email attaches an empty file and pushes the recipient toward external URLs, the pattern triggers a risk elevation that static scanners miss. First-time sender status and low personalization add further weight.
The IRONSCALES community-driven threat intelligence network identifies these campaigns across organizations. When multiple mailboxes receive similar AWS-themed invoice emails with zero-byte attachments, the collective signal drives faster remediation. Research shows that 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways, and cloud-provider impersonation campaigns contribute meaningfully to that volume.
awstrack[.]me links appear in AWS communications, but their presence from first-time senders or unfamiliar account contexts is anomalous.| Indicator | Type | Context |
|---|---|---|
54.240.48[.]193 | IP | Amazon SES sending IP |
a48-193.smtp-out.amazonses[.]com | Domain | SES mail transfer agent |
d41d8cd98f00b204e9800998ecf8427e | MD5 | Hash of zero-byte PDF attachment |
awstrack[.]me | Domain | AWS click-tracking redirect service |
amazonmr.au1.qualtrics[.]com | Domain | External Qualtrics survey form |
invoicing@aws[.]com | Sender address (from header) |
| Attack | What happened |
|---|---|
| The Auth0 Developer Tenant That Passed Every Security Check (Because It Was Real) | An attacker weaponized Auth0's free developer tenant to build a phishing chain that passed DKIM, DMARC, and every link scanner. |
| The Lab Result Notification That Every Security Check Approved (Because the Platform Was Real) | A credential harvest targeting healthcare portal logins arrived through bridgeinteract.io, a legitimate HIPAA-adjacent patient engagement platform. |
| A Google Redirect, a Monday.com Tracker, and a Fake NDA: Credential Harvesting Through Trusted Infrastructure | A DocuSign NDA impersonation routed its primary CTA through a three-hop redirect chain: Google.com to Monday.com tracking service to a Zimbabwean domain. |
| The Quarantine Portal That Looked Exactly Like the Real One | A fake quarantine notification delivered a pixel-perfect replica of a quarantine management portal, complete with JWT-embedded action links. |
| The Zix Portal That Authenticated Itself Into Your Inbox | An attacker used legitimate Zix secure-email infrastructure to deliver a credential-harvesting page disguised as encrypted title company documents. |