Fake AWS / Azure / Google Cloud / DigitalOcean / Vercel / Cloudflare compute-overage lure — "your compute spend exceeding budget, verify billing within 24 hours or services suspended" targeting IT/DevOps engineers + SaaS founders; cloud-console credentials harvested → crypto-mining on victim cloud + $500-5K/bundle dark-market resale (Unit 42: cloud-account compromise +60% YoY 2024-2025)

Fake "your AWS / Azure / Google Cloud / DigitalOcean / Vercel / Cloudflare / Heroku / Linode compute spend is exceeding budget — verify billing within 24 hours or services will be suspended" email targeting IT/DevOps engineers and SaaS founders. Distinct from the consumer ChatGPT Plus sub phish (iter 941), developer AI-API-key phish (iter 979), and enterprise M365 MFA phish (iter 948) — this targets the narrow DevOps/cloud-operator demographic where a runaway Lambda or GKE cluster can burn $10K-$100K in hours, so "verify billing / approve overage" framing triggers fast response. Post-compromise attackers harvest cloud-console credentials, spin up crypto-mining workloads on the victim's cloud account (stealing compute AND electricity costs), and resell compromised cloud accounts on dark markets at $500-5,000 per bundle. Real AWS / Azure / GCP billing alarm emails exist, so the template is structurally familiar. 2024-2025 Unit 42 reports: cloud-account compromise attacks up 60% YoY with $1-10M median losses per compromised enterprise tenant. Fires when body references AWS / Amazon Web Services / Azure / Google Cloud / GCP / DigitalOcean / Vercel / Cloudflare / Heroku / Linode / AWS Lambda / S3 / EC2 / Kinesis / GKE AND contains overage / exceeding / suspension / verify-billing / approve-overage urgency. Excludes amazon.com, amazonaws.com, aws.amazon.com, microsoft.com, azure.com, microsoftonline.com, google.com, cloud.google.com, googleapis.com, digitalocean.com, do.co, vercel.com, cloudflare.com, heroku.com, linode.com, akamai.com, fly.io, render.com. Auto-classified as danger via the `-lure` suffix.