Cybercriminals have found a new way to launch large-scale phishing campaigns by exploiting Amazon's Simple Email Service (SES). Researchers from Wiz.io identified a sophisticated operation that used legitimate AWS cloud infrastructure to send over 50,000 malicious emails daily.
How the Attack Works
The campaign begins when attackers get ahold of compromised AWS access keys, which are often found exposed in code repositories or misconfigured cloud assets. Once they have the keys, they check for accounts with SES permissions to see if they can send emails.
The attackers used a previously undocumented technique to bypass SES's default 200-email daily limit. They issued "PutAccountDetails" requests across all AWS regions at once, which allowed them to bypass the security restrictions and unlock production-level email sending capabilities.
The phishing emails were designed to look like official tax notifications, with subject lines like "Your 2024 Tax Form(s) Are Now Ready to View and Print." These messages redirected victims to fake websites designed to steal their login credentials. The attackers also used commercial services to hide their malicious infrastructure and avoid detection.
Technical Sophistication
To make the emails look legitimate, the attackers used the "CreateEmailIdentity" API to verify both their own domains and legitimate domains with weak security settings. They created multiple email addresses for each verified domain, using common prefixes like admin@ and noreply@ to appear authentic.
The attackers even tried to escalate their privileges by creating support tickets to get more permissions, though these attempts failed. However, the daily quota of 50,000 emails was more than enough for their operations. This campaign highlights how a service designed for business can be turned into a powerful weapon. It's a clear reminder that companies need to be more vigilant in monitoring for unusual activity in their cloud environments.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
