An AWS access key compromise led to a sophisticated SES abuse campaign in May 2025. The attacker exploited the stolen key to bypass SES restrictions, verify new sender identities, and conduct a large-scale phishing operation. They used multi-regional PutAccountDetails requests to escape the SES sandbox, a novel technique in SES abuse. The campaign involved creating multiple email identities using attacker-owned and legitimate domains with weak DMARC protections. The subsequent phishing campaign targeted various organizations, using tax-related lures to steal credentials. This incident highlights the importance of monitoring cloud service usage, especially for services like SES that can be exploited for monetization. Author: AlienVault
Related Tags:
sandbox escape
T1098.003
T1078.004
cloud security
T1584.001
T1583.001
T1098
AWS
T1526
Associated Indicators:
managed7.com