Credential phishing: AWS Lambda URL with recipient targeting

calendar May 28, 2026  ·
Share on: linkedin copy

Detects messages containing AWS Lambda URLs with the recipient's email address embedded in the fragment, indicating potential abuse of AWS Lambda services for targeted malicious activities.

Sublime rule (View on GitHub)

 1name: "Credential phishing: AWS Lambda URL with recipient targeting"
 2description: "Detects messages containing AWS Lambda URLs with the recipient's email address embedded in the fragment, indicating potential abuse of AWS Lambda services for targeted malicious activities."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and recipients.to[0].email.domain.sld == sender.email.local_part
 8  and any(body.links,
 9          strings.icontains(.href_url.domain.domain, "lambda-url")
10          and strings.icontains(.href_url.fragment, recipients.to[0].email.email)
11  )  
12attack_types:
13  - "Credential Phishing"
14tactics_and_techniques:
15  - "Free subdomain host"
16  - "Social engineering"
17detection_methods:
18  - "URL analysis"
19  - "Content analysis"
20id: "b5775c73-ca5f-5244-ac21-201332efd313"
to-top