• Fake Incident Report Used in Phishing Campaign This morning, I received an interesting phishing email. • I’ve a “love & hate” relation with such emails because I always have the impression to lose time when reviewing them but sometimes it’s a win because you spot interesting “TTPs” (“tools, techniques & procedures”). • Maybe one day, I’ll try to automate this process! • Today’s email targets Metamask[1] users. • It’s a popular software crypto wallet available as a browser extension and mobile app. • The mail asks the victim to enable 2FA: The link points to an AWS server: hxxps://access-authority-2fa7abff0e[.]s3.us-east-1[.]amazonaws[.]com/index.html But it you look carefully at the screenshots, you see that there is a file attached to the message: “Security_Reports.pdf”.

Article Summaries:

  • A phishing campaign targeting Metamask users was reported on February 17. Attackers sent emails that appear to come from a legitimate source, asking recipients to enable two‑factor authentication (2FA). The message includes a link to an AWS-hosted page and a PDF attachment titled “Security_Reports.pdf.” The PDF contains a fabricated incident report about unusual login activity, generated with the ReportLab library. The campaign is considered low‑quality because the sender address is not spoofed and the PDF lacks branding or personalization. The incident highlights the use of fake security alerts to manipulate users into clicking malicious links.
  • A phishing campaign targeting Metamask users was reported on February 17. Attackers sent emails that appear to come from a legitimate source and ask recipients to enable two‑factor authentication via a link to an AWS S3 bucket. The email also includes a PDF attachment titled “Security_Reports.pdf,” which contains a fabricated incident report about suspicious login activity. The document was generated with the open‑source ReportLab library and bears no branding or spoofed sender address, indicating a low‑quality operation. The campaign’s goal is to scare users into enabling 2FA, but the lack of personalization and spoofing reduces its effectiveness.

Sources: