Phishing artists exploited Amazon Simple Email
Service (SES) to stage a widespread campaign earlier this year, according to a report by Wiz Research.
The effort stood out for its ” impact and the use of previously
unseen attack patterns,” Wiz writes.
First, the bad actors used a compromised key to “access the victim’s AWS environment, bypass SES’s built-in restrictions,
verify new ‘sender’ identities, and methodically prepare and conduct a phishing operation,” the report says.
They also also
issued GetSendQuota and GetAccount calls, “both intended to reveal the current state of the SES configuration and whether the account was still restricted to sandbox
limits,” Wiz adds.
Within ten seconds, “we observed a burst of Put Account Details requests that fanned out across all AWS regions - a strong
indicator of automation and a clear attempt to push the SES account into production mode,” the report continues.
advertisement
advertisement
The attacker was able to achieve the 50,000 emails-per-day default
quota, although attempts to get beyond that failed.
The campaign targeted “multiple organizations without a clear geographical or industry focus,” the report continues.
The phishing messages referenced 2024 tax forms, with subjects such as “Your 2024 Tax Form(s) Are Now Ready to View and Print - Reference Number: XXXX” and
“Information Alert: Tax Records Contain Anomalies# XXXX”.
Wiz describes these solutions for avoiding such schemes (and we quote):
- Restrict SES if unused: Apply an AWS Service Control Policy (SCP) to block SES entirely in accounts where it isn’t needed.
- Audit and rotate keys:
Regularly rotate IAM keys, and monitor for dormant keys that suddenly become active again.
- Enforce least privilege: Ensure only designated roles and identities can verify new
senders or request production access.
- Log and alert on SES activity: Use CloudTrail to track SES API calls such as PutAccountDetails, and watch for spikes
in SendEmail usage or unusual sender additions.
The full report can be found here.