A sophisticated cybercriminal campaign has emerged, exploiting Amazon’s Simple Email Service (SES) to orchestrate large-scale phishing operations capable of delivering over 50,000 malicious emails daily.
The attack represents a significant evolution in cloud service abuse, transforming AWS’s legitimate bulk email platform into a weapon for credential theft and financial fraud.
The campaign begins with compromised AWS access keys, obtained through common attack vectors including accidental public exposure in code repositories, misconfigured cloud assets, or theft from developer workstations.
Once adversaries secure these credentials, they immediately probe the environment using GetCallerIdentity requests to assess available permissions, specifically targeting accounts with SES-related naming conventions that indicate email service access.
Wiz.io researchers identified this May 2025 campaign after detecting unusual patterns in AWS API activity across multiple regions.
The attackers demonstrated remarkable sophistication by implementing a multi-regional approach, simultaneously issuing PutAccountDetails requests across all AWS regions within seconds to escape SES’s default “sandbox” restrictions.
This technique, previously undocumented in security literature, allows threat actors to bypass the standard 200-email daily limit and unlock production mode capabilities.
The phishing infrastructure targets victims with convincing tax-related content, employing subject lines such as “Your 2024 Tax Form(s) Are Now Ready to View and Print” to maximize engagement rates.
.webp "Hackers Weaponizee Amazon Simple Email Service to Send 50,000+ Malicious Emails Per Day 3")
These messages redirect users to credential harvesting sites hosted at domains like irss.securesusa.com, utilizing commercial traffic analysis services to obfuscate malicious infrastructure and evade traditional security scanners.
Technical Infrastructure and Evasion Mechanisms
The attackers establish their email infrastructure through systematic domain verification using the CreateEmailIdentity API.
They register both attacker-controlled domains including managed7.com, street7news.org, and docfilessa.com, alongside legitimate domains with weak DMARC configurations that facilitate email spoofing.
Each verified domain supports multiple email addresses using standard prefixes like admin@, billing@, and noreply@ to appear legitimate in recipient inboxes.
The campaign’s technical sophistication extends to automated privilege escalation attempts.
When standard production quotas proved insufficient, attackers programmatically created support tickets through the CreateCase API and attempted to establish IAM policies named “ses-support-policy” to gain enhanced permissions.
Although these elevation attempts failed due to insufficient privileges, the 50,000-email daily quota remained adequate for their operational requirements.
This SES abuse campaign demonstrates how cloud services designed for legitimate business purposes can be weaponized at scale, highlighting the critical need for enhanced monitoring of dormant access keys and unusual cross-regional API activity patterns in cloud environments.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
