An ongoing phishing campaign targeting several organizations with the help of DocuSign branded spam e-mails has been observed by Proofpoint’s Threat Insight Team while abusing Amazon Web Services (AWS) to host their landing pages. The phishers use nested JavaScript encoding for the landing pages hosted on Amazon S3 storage for evading detection and for hindering analysis, with the Multibyte XOR encoding technique described in February 2016 being an integral part of the process. The actor engaging in this activity is not new to hosting on AWS, as we have observed it throughout the year,” adds Proofpoint.”
Source: https://www.bleepingcomputer.com/news/security/microsoft-office-phishers-move-to-enterprise-aws-landing-pages/