FREELANCE security consultant Xavier Mertens reported a phishing campaign that uses a fake PDF security incident report hosted on AWS to scare victims into enabling 2FA. The phishing message contains a link to an AWS-hosted page and a PDF titled “Security_Reports.pdf,” which targets MetaMask users and claims there is unusual login activity to prompt action. The PDF itself is not malicious and was generated using ReportLab, but the attackers aim to create fear and push users to follow instructions.
Despite the tactic, the campaign is of low quality: the sender isn’t spoofed, and the PDF isn’t personalised or branded, making the scam easier to spot. The overall takeaway is that the technique relies on fear to drive security upgrades, rather than sophisticated branding or stealth.