This report documents a large-scale phishing campaign in which attackers abused legitimate software-as-a-service (SaaS) platforms to deliver phone-based scam lures that appeared authentic and trustworthy. Rather than spoofing domains or compromising services, the attackers deliberately misused native platform functionality to generate and distribute emails that closely resembled routine service notifications, inheriting the trust, reputation, and authentication posture of well-known SaaS providers.
The campaign generated approximately 133,260 phishing emails, impacting 20,049 enterprises. It is part of a broader and rapidly escalating trend in which attackers weaponize trusted brands and native cloud workflows to maximize delivery, credibility, and reach.
Observed brands abused or impersonated include Microsoft, Zoom, Amazon, PayPal, YouTube, and Malwarebytes.
Trend context: accelerating SaaS abuse activity
This activity aligns with a sharp increase in SaaS abuse–driven phishing observed over recent months:
- Last 6 months: ~648,291 phishing emails impacting ~36,845 enterprises
- Last 3 months: ~463,773 phishing emails impacting ~32,482 enterprises
Why SaaS abuse–driven phishing is accelerating
The acceleration observed in recent months reflects a strategic shift by attackers rather than a temporary spike in activity. Instead of relying on spoofed domains, compromised infrastructure, or malicious links, attackers are increasingly abusing legitimate SaaS workflows to inherit trust by default.
By embedding scam content into user-controlled fields that are later rendered in system-generated notifications, attackers obtain emails that originate from high-reputation domains, fully pass authentication checks, and closely resemble routine service communications. This significantly reduces both automated detection and user suspicion.
The growing reliance on phone-based lures further supports this shift. Directing victims to call attacker-controlled numbers allows campaigns to bypass URL analysis, sandboxing, and link reputation systems, transferring the final stage of the attack to voice-based social engineering.
The concentration of activity in the most recent three-month period suggests that attackers view SaaS abuse as a scalable, low-friction delivery mechanism that offers high return on investment, particularly when leveraging widely used enterprise platforms such as Microsoft, Zoom, and Amazon.
Campaign summary
Three distinct SaaS abuse methods were observed, all designed to drive victims toward calling attacker-controlled phone numbers rather than clicking malicious links:
-
- Abuse of legitimate SaaS email generation, combined with automated redistribution
- Abuse of Microsoft account, subscription, Entra ID and Power BI notification workflows.
- Abuse of Amazon Business invitation workflows
In all cases, the underlying platforms were not compromised. Legitimate features were misused to impersonate authentic service communications.
Campaign scale
- Total phishing emails: ~133,260
- Affected enterprises : ~20,049
The volume and breadth confirm this as a coordinated, high-scale SaaS abuse operation, not isolated activity.
Method 1: Abuse of legitimate SaaS email generation and redistribution
Attack flow
In the first method, attackers exploited the fact that many SaaS platforms allow users to control identity, profile, or metadata fields that are later rendered verbatim into system-generated emails.
- Field manipulation
The attacker creates or modifies an account within a legitimate SaaS platform and inserts scam content into user-controlled fields such as account name or profile attributes.
- Legitimate email generation
The platform generates a fully legitimate notification email using the attacker-supplied content. These emails originate from real service infrastructure and domains, inheriting authentic branding, formatting, and sender reputation.
Platforms observed in this method include Zoom, PayPal, YouTube, and Malwarebytes, where attacker-controlled fields are rendered verbatim by the platform into notification emails, without modifying the underlying message template.
- Automated redistribution
The attacker redistributes these legitimate emails at scale using automated mail rules, preserving the original message content and headers.
The emails typically use urgent billing, subscription, or account-warning narratives and instruct recipients to call a support phone number.
Method 2: Abuse of Microsoft notification workflows across multiple products
In this method, attackers abuse Microsoft’s native notification workflows across multiple products, including account and subscription notifications, Entra ID identity messages, and Power BI service emails to deliver phone-based scam lures.
Attackers first establish or control a legitimate Microsoft tenant and configure Microsoft services that generate automated notifications. By populating user-controlled fields such as customer, subscription, or product details with scam content, attackers cause Microsoft to generate emails where the fraudulent messaging appears directly in the email subject or body. These notifications are then distributed by Microsoft’s own infrastructure, fully authenticated and indistinguishable from routine Microsoft service communications.
The emails typically reference subscription activity, account changes, or product acquisitions and instruct recipients to call attacker-controlled support numbers. This approach avoids malicious links entirely and shifts the final stage of the attack to voice-based social engineering, while leveraging the high trust users place in Microsoft notifications to bypass link-centric detection and user suspicion.
Method 3: Amazon Business invitation abuse
In addition to abusing generic SaaS notifications and Microsoft’s notification ecosystem, attackers also leveraged platform-specific business invitation workflows. In one such case, attackers abused Amazon Business’s legitimate “invite users” feature to deliver scam content.
Attackers inserted scam text, including fake charges and support phone numbers, into user-controlled invitation fields such as the business name or custom invite message. Amazon rendered this attacker-supplied content directly into the invitation email subject and body and delivered the messages at scale via Amazon SES, resulting in emails that fully passed SPF, DKIM, DMARC, and ARC and appeared as authentic Amazon Business notifications, without requiring any attacker-controlled mail infrastructure.
Validation through controlled testing
To validate Method 1, a limited internal test was conducted using Zoom. A Zoom account was created with scam-style text inserted into user-controlled name fields, after which the platform generated and sent a legitimate verification email containing the attacker-supplied content. The email originated from Zoom’s real infrastructure and closely resembled a standard operational notification.
The remaining step required to operationalize the attack would be bulk redistribution, which was not performed during testing.
Impacted industries (refined)
- Technology / SaaS / IT — 26.8%
- Manufacturing / Industrial / Engineering / Construction — 21.4%
- Enterprise / Commercial (B2B, non-vertical-specific) — 18.9%
- Education (K–12 and Higher Education) — 12.1%
- Finance / Banking / Insurance — 7.4%
- Government / Public Sector — 6.0%
- Healthcare / Life Sciences — 4.2%
- Professional Services / Consulting / Legal — 2.6%
- Retail / Consumer — 1.3%
- Energy / Utilities — 1.0%
- Other — 0.3%
Zoom-related abuse was disproportionately observed in education, where collaboration notifications are frequent and highly trusted.
Geographic distribution (HQ-based)
- United States — 66.9%
- Europe — 17.8%
- Asia-Pacific — 9.2%
- Canada — 4.1%
- LATAM — 2.6%
- Middle East & Africa — 1.4%
LATAM breakdown
- Brazil — 41%
- Mexico — 29%
- Argentina — 12%
- Colombia — 9%
- Chile — 5%
- Peru — 4%
Key analytical takeaways
- SaaS abuse represents a strategic evolution in phishing tactics, where attackers prioritize inheriting trust from legitimate platforms over deploying their own infrastructure, significantly reducing both technical friction and detection risk.
- Phone-based scam delivery is a deliberate control-evasion mechanism, allowing campaigns to bypass link-centric detection technologies and shift the final exploitation stage to voice-based social engineering.
- Native notification workflows from widely used enterprise platforms amplify campaign effectiveness, as frequent, expected service communications normalize scam content and reduce user skepticism.
- The sharp concentration of activity in recent months indicates attacker confidence in scalability and return on investment, particularly when abusing platforms that provide global reach, strong sender reputation, and built-in authentication.
- Education and enterprise environments face elevated risk due to high notification volume and trust saturation, especially for collaboration services where urgent or administrative messages are routine.
- Defensive assumptions that authenticated, well-branded emails are inherently low risk are increasingly unreliable, requiring detection strategies that account for contextual abuse of legitimate services rather than traditional indicators alone.
Conclusion
This campaign demonstrates how attackers are increasingly weaponizing trusted SaaS platforms and native notification workflows to deliver phone-based scams at scale. As cloud services continue to dominate enterprise communication, defenders must recognize that authentic-looking emails from trusted brands are not inherently safe and must account for contextual abuse of legitimate services.
