Phishing attacks often rely on social engineering tactics to trick a person into clicking a link. This can lead to a credential-stealing page or a malicious application download.
This attack technique doesn’t rely on malicious links or domain spoofing, but on document scripts that yield the same effect, as highlighted by Reversing Labs.
In this instance, this extensibility is allowing malicious actors to create login pages purporting to be connected with the underlying email source, in this case Amazon.
How it works
It’s quite normal for an organisation to require an invoice from Amazon following a purchase. These can take different forms depending on the actual supplier using Amazon’s platform.
It’s, therefore, easy to see how an attacker might leverage these inconsistencies to trick their potential victims.
For phishing scams we would normally advise to examine the URL of any landing pages to make sure they look legitimate. We also advise you to only login to sites at their official domains, rather than through one linked by an attachment.
In this case, the login prompt is being generated by he PDF so no URLs are being displayed, and you were told that this would happen.
This is why, in addition to checking the landing page URLs, you always need to check the sender to make sure they match up with a legitimate domain, and one that corresponds with the email you received.
You should always enable two factor authentication on your Amazon account (and elsewhere) which largely mitigates the value of any stolen credentials.
It’s also imperative you provide ongoing phishing attack simulation and security awareness training to ensure your users are trained at spotting phishing attacks, this one included.