View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Amazon Email Scam: Watch Out For Malicious Order Confirmed Emails

In order to avoid been caught out by malicious campaigns like this user must be vigilant when it comes to what they open, especially if it is a Microsoft word document

By CBR Staff Writer

Cybercriminals are always on the look out to exploit peoples rush to get stuff done and get those last minute online shopping delivered or taken care of.

With an increasing number of us doing the majority of our shopping online, threat actors are seizing upon the opportunity to conduct email spamming campaigns that target popular delivery companies like Amazon.

Cybersecurity enterprise EdgeWare have uncovered a well disguised email campaign masquerading as Amazon order confirmations,.

When a user opens these emails they are showed the order confirmation stating that your package has been shipped, however no actual order information is visible such as what the item is or to whom it is deliverable. To get this information the email directs the user to click on the ‘Order Details’ see more information.

Unfortunately this is where you trouble begins according to EdgeWare who found that: “Clicking Order Details connects to unique subdirectory at and downloads a Microsoft Word document titled order_details.doc. Opening this document activates a macro that contacts at IP (the same server that hosts, located in Indonesia)”

Once this process starts your system is open to the installation of malicious software.

Amazon Email Scam

Clicking Order Details can also open up a Microsoft Office Document which then asks you to enable content, doing so will trigger a PowerShell command that results in the undetected download of a banking Trojan to your device.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

PowerShell is a scripting language that when used by threat actors can give them unrestricted access to Windows APIs and system inner core.

Fred O’Connor researcher at endpoint security company Cyberreason commented in a blog that: “PowerShell’s ability to run remotely through WinRM makes it an even more appealing tool. This feature enables attackers to get through Windows Firewall, run PowerShell scripts remotely or simply drop into an interactive PowerShell session, providing complete admin control over an endpoint.”

See Also: NASA Servers Breached: “A Top Agency Priority”

In order to avoid been caught out by malicious campaigns like this user must be vigilant when it comes to what they open, especially if it is a Microsoft word document.

When receiving order confirmations your names and some identifying details should be present. Be wary of anything that looks vague and could be sent out on-mass. Reading addresses is something we passively do, often with little regard to spelling, however incorrect spelling in an address is a key indicator that something is amiss and is one to watch out for.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.