A complicated cybercriminal marketing campaign has emerged, exploiting Amazon’s Easy E-mail Service (SES) to orchestrate large-scale phishing operations able to delivering over 50,000 malicious emails day by day.
The assault represents a big evolution in cloud service abuse, reworking AWS’s reputable bulk electronic mail platform right into a weapon for credential theft and monetary fraud.
The marketing campaign begins with compromised AWS entry keys, obtained by frequent assault vectors together with unintended public publicity in code repositories, misconfigured cloud property, or theft from developer workstations.
As soon as adversaries safe these credentials, they instantly probe the surroundings utilizing GetCallerIdentity requests to evaluate accessible permissions, particularly concentrating on accounts with SES-related naming conventions that point out electronic mail service entry.
Wiz.io researchers recognized this Might 2025 marketing campaign after detecting uncommon patterns in AWS API exercise throughout a number of areas.
The attackers demonstrated exceptional sophistication by implementing a multi-regional strategy, concurrently issuing PutAccountDetails requests throughout all AWS areas inside seconds to flee SES’s default “sandbox” restrictions.
This method, beforehand undocumented in safety literature, permits menace actors to bypass the usual 200-email day by day restrict and unlock manufacturing mode capabilities.
The phishing infrastructure targets victims with convincing tax-related content material, using topic traces similar to “Your 2024 Tax Kind(s) Are Now Able to View and Print” to maximise engagement charges.
Assault chain (Supply – Wiz.io)
These messages redirect customers to credential harvesting websites hosted at domains like irss.securesusa.com, using industrial site visitors evaluation providers to obfuscate malicious infrastructure and evade conventional safety scanners.
Technical Infrastructure and Evasion Mechanisms
The attackers set up their electronic mail infrastructure by systematic area verification utilizing the CreateEmailIdentity API.
They register each attacker-controlled domains together with managed7.com, street7news.org, and docfilessa.com, alongside reputable domains with weak DMARC configurations that facilitate electronic mail spoofing.
Every verified area helps a number of electronic mail addresses utilizing customary prefixes like admin@, billing@, and noreply@ to look reputable in recipient inboxes.
The marketing campaign’s technical sophistication extends to automated privilege escalation makes an attempt.
When customary manufacturing quotas proved inadequate, attackers programmatically created help tickets by the CreateCase API and tried to determine IAM insurance policies named “ses-support-policy” to realize enhanced permissions.
Though these elevation makes an attempt failed resulting from inadequate privileges, the 50,000-email day by day quota remained ample for his or her operational necessities.
This SES abuse marketing campaign demonstrates how cloud providers designed for reputable enterprise functions will be weaponized at scale, highlighting the vital want for enhanced monitoring of dormant entry keys and strange cross-regional API exercise patterns in cloud environments.
Enhance your SOC and assist your group shield your small business with free top-notch menace intelligence: Request TI Lookup Premium Trial.
