A sophisticated cyberattack campaign where threat actors exploited compromised AWS credentials to hijack Amazon’s Simple Email Service (SES), launching large-scale phishing operations capable of sending over 50,000 malicious emails daily.
The Wiz Research team identified this alarming SES abuse campaign in May 2025, highlighting a concerning trend where cybercriminals are weaponizing legitimate cloud services to conduct fraud operations at unprecedented scale.
The attack demonstrates how compromised AWS access keys can be transformed into powerful phishing infrastructure, bypassing traditional email security defenses while shifting costs and reputational damage onto innocent victims.
The sophisticated campaign began with attackers obtaining compromised AWS access keys through unknown vectors, likely including accidental public exposure in code repositories or theft from developer workstations.
Once armed with these credentials, the threat actors immediately conducted reconnaissance to assess their capabilities.
Their first move involved a simple GetCallerIdentity request, which revealed that the compromised access key contained “ses-” in its name, indicating it was originally provisioned with SES permissions. This discovery became the foundation for their entire operation.
The attackers then escalated their reconnaissance by probing SES directly through GetSendQuota and GetAccount calls, designed to reveal the current configuration state and determine whether the account remained restricted to sandbox limits.
This initial assessment phase occurred within seconds, demonstrating the automated nature of their approach.
Breaking Free from Security Constraints
Amazon SES operates under a “sandbox” mode by default, restricting accounts to sending only 200 messages per day to verified addresses at a maximum rate of one message per second.
To unlock the service’s full potential for legitimate businesses, accounts must transition to “production” mode, which raises the quota to typically 50,000 emails per day and allows sending to arbitrary recipients.
In a novel technique not previously documented in security research, the attackers launched a coordinated burst of PutAccountDetails requests across all AWS regions within just ten seconds.
This multi-regional approach appears designed to maximize region-specific send quotas, evade potential restrictions, or build redundancy across different geographic locations.
To justify their transition request, the attackers submitted a carefully crafted but generic explanation referencing a construction company website that had no connection to either the victim or the identities later used for phishing.
Despite its boilerplate nature, the request was polished enough to pass AWS’s review process and gain approval for production mode access.
Not satisfied with the standard 50,000-emails-per-day quota, the threat actors attempted to further expand their capabilities through multiple avenues.
They tried opening a support ticket programmatically using the CreateCase API to request higher limits, an uncommon approach that serves as a strong indicator of suspicious activity since legitimate users typically use the AWS Console.
When this attempt failed due to insufficient permissions, the attackers tried to escalate their privileges by creating an IAM policy named “ses-support-policy” and attempting to attach it to the compromised user.
This effort also failed, leaving them with the standard production quota, which proved sufficient for their campaign objectives.
With production mode enabled, the attackers began establishing their phishing infrastructure by adding multiple domains as verified identities through the CreateEmailIdentity API.
Their domain strategy included both attacker-owned domains and legitimate domains with weak DMARC protections, making it easier to spoof or send emails without being blocked by security controls.
The Phishing Campaign Launch
Once their infrastructure was established, the cybercriminals launched a broad phishing campaign targeting multiple organizations without clear geographical or industry focus.
The malicious emails referenced 2024 tax forms with subjects like “Your 2024 Tax Form(s) Are Now Ready to View and Print” and “Information Alert: Tax Records Contain Anomalies.”
These emails directed recipients to credential theft sites concealed behind redirects provided by commercial traffic analysis services.
This technique, commonly used in legitimate marketing campaigns, was repurposed to bypass security scanners while providing attackers visibility into victim click-through rates.
The lightweight and opportunistic nature of the campaign suggests it was conducted primarily for financial gain, though researchers have not linked it to any publicly tracked threat groups.
The credential theft operations could facilitate various malicious activities, including business email compromise and additional fraud schemes.
This SES abuse campaign represents more than just a nuisance with negligible costs. The attack highlights several critical security concerns for organizations using cloud services.
The reputational and business risks are substantial, as attackers can send emails from verified domains, enabling phishing that appears to originate from legitimate organizations. This capability facilitates spearphishing, fraud, data theft, and masquerading in business processes, potentially causing significant brand damage.
The compromise risk extends beyond email abuse, as SES exploitation rarely occurs in isolation. It serves as a clear indicator that adversaries already control valid AWS credentials that could be expanded into more impactful actions across cloud infrastructure.
Operational risks include the potential for spam or phishing activity to trigger abuse complaints to AWS, resulting in abuse cases filed against victim accounts. Such incidents can disrupt business operations and require significant resources to resolve.
Prevention Strategies
Security experts recommend several measures to reduce the risk of SES abuse. Organizations should implement AWS Service Control Policies to block SES entirely in accounts where it isn’t needed, while regularly auditing and rotating IAM keys to prevent long-term compromise.
Enforcing least privilege principles ensures only designated roles can verify new senders or request production access.
Comprehensive logging and alerting on SES activity through CloudTrail can help detect suspicious API calls and usage spikes.
Monitoring for specific attack indicators identified in this campaign proves crucial, including multi-regional bursts of PutAccountDetails requests, non-console invocation of CreateCase API, and rapid creation of domains and email identities.
Security platforms like Wiz Defend have developed specific detection rules to identify these attack patterns early in the kill chain.
By monitoring for behaviors such as multi-regional attempts to leave SES sandbox mode, IAM access key usage after long periods of inactivity, and API calls from multiple countries within short timeframes, security teams can respond before campaigns reach full scale.
The campaign underscores the critical importance of monitoring cloud service usage for sudden spikes and maintaining vigilance around credential security.
As threat actors continue evolving their techniques to exploit legitimate cloud services, organizations must adapt their defense strategies to address these emerging attack vectors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
