MetaMask users targeted with fake security report phishing campaign

Attackers are sending forged security alerts designed to trick cryptocurrency wallet users into surrendering credentials.

What happened

A phishing campaign is targeting users of the MetaMask cryptocurrency wallet using emails that warn of suspicious login activity and urge recipients to enable two factor authentication through a malicious link. According to GBHackers, the message includes a fake PDF titled “Security_Reports.pdf” designed to resemble a legitimate security alert and create urgency. The link redirects victims to a counterfeit MetaMask login page hosted on an Amazon Web Services S3 storage bucket, a legitimate cloud service often trusted by security filters. Although the attachment contains no malware, analysis showed it was created using the ReportLab PDF library, a legitimate Python tool, and serves only as a social engineering tactic to persuade users to enter wallet credentials and recovery seed phrases on the fraudulent site.

Going deeper

Use of legitimate cloud infrastructure such as Amazon Web Services Simple Storage Service (AWS S3) allows phishing campaigns to bypass reputation based security controls that typically flag suspicious or newly created domains. Attackers combine social engineering tactics with harmless looking files generated using legitimate tools to avoid antivirus and attachment scanning detection. In this case, the PDF contains no malware or hidden scripts and instead creates urgency by warning of suspicious account activity, encouraging victims to act quickly. The linked phishing page then captures login credentials and cryptocurrency wallet recovery phrases, enabling attackers to steal digital assets. Although the campaign shows limited technical sophistication or personalization, it demonstrates how trusted cloud services and emotionally manipulative messaging can still make relatively simple phishing attacks effective.

What was said

Xavier Mertens, senior handler at the SANS Internet Storm Center, analyzed the phishing email and explained that the campaign relied on psychological pressure rather than technical sophistication. He wrote that “the goal is simple: To make the victim scary and ready to ‘increase’ his/her security by enabled 2FA,” describing how the fake incident report was designed to push recipients toward interacting with the malicious link. Mertens added that the campaign showed relatively low quality execution, noting the sender address was not spoofed and the attached PDF lacked personalization despite being automatically generated. No public statement from MetaMask or Amazon Web Services accompanied reporting on the campaign.

The big picture

The MetaMask campaign is a clear example of what Hoala Greevy, CEO of Paubox, calls “deception at scale,” where attackers move away from complex malware and instead abuse trusted cloud infrastructure such as AWS that security filters often allow automatically. Attackers exploit “inherited trust,” meaning malicious pages appear legitimate because they are hosted on reputable platforms, shifting the attack toward human judgment rather than technical vulnerabilities. With only about 5% of phishing attacks reported by employees, according to the Paubox 2025 Healthcare Email Security Report, campaigns like this succeed because organizations still rely on users to recognize threats themselves. Solutions such as Paubox’s new inbound email security address this gap by using generative AI to analyze sender behavior, tone, links, and communication patterns, automatically detecting phishing, impersonation, and malware attempts and stopping suspicious messages before they reach employee inboxes, reducing dependence on human error as the final line of defense.

FAQs

Why are seed phrases especially valuable to attackers?

A seed phrase allows full restoration of a cryptocurrency wallet on another device, enabling attackers to transfer assets without needing continued access to the victim’s account credentials.

How does hosting phishing pages on AWS affect detection?

Cloud hosting services are widely used by legitimate organizations, so blocking traffic to those domains can disrupt normal business operations, reducing the effectiveness of simple domain-based filtering.

Why was the PDF attachment non-malicious?

Attackers used the document as a credibility enhancer rather than a malware delivery mechanism, reducing the likelihood that security scanners would flag the email before it reached users.

Are cryptocurrency users more exposed to phishing than traditional banking customers?

Cryptocurrency transactions are typically irreversible, and wallet access is controlled entirely by private keys or seed phrases, making successful phishing attacks financially hurtful and difficult to remediate.

What controls can reduce the risk of wallet phishing?

Users should verify sender domains carefully, avoid clicking security links directly from email, enable hardware wallet protections where possible, and treat any request for seed phrases as fraudulent, regardless of context.