From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover

SUMMARY :

An AWS access key compromise led to a sophisticated SES abuse campaign in May 2025. The attacker exploited the stolen key to bypass SES restrictions, verify new sender identities, and conduct a large-scale phishing operation. They used multi-regional PutAccountDetails requests to escape the SES sandbox, a novel technique in SES abuse. The campaign involved creating multiple email identities using attacker-owned and legitimate domains with weak DMARC protections. The subsequent phishing campaign targeted various organizations, using tax-related lures to steal credentials. This incident highlights the importance of monitoring cloud service usage, especially for services like SES that can be exploited for monetization.

OPENCTI LABELS :

phishing,aws,cloud security,sandbox escape,email service


AI COMMENTARY :

1. Introduction: From the moment an AWS access key was compromised in May 2025, attackers set in motion a chain of events that would culminate in one of the most sophisticated cloud email service takeovers to date. The security breach centered around AWS Simple Email Service, commonly known as SES, which provides a scalable email solution for businesses worldwide. By exploiting a single stolen key, the adversary escalated their operation from initial cloud security intrusion to a full-scale phishing campaign, demonstrating how cloud resources can be weaponized for financial gain and credential theft.

2. The Key Compromise and Service Abuse: At the heart of this incident lay the unauthorized use of a compromised AWS access key that granted SES privileges. The attacker bypassed built-in SES restrictions by issuing multi-regional PutAccountDetails requests, a novel sandbox escape technique never before observed in SES abuse. By verifying new sender identities across multiple regions, they effectively sidestepped sandbox limits and gained the ability to send large volumes of email messages. This method highlights an emerging threat vector in which cloud APIs intended for legitimate account management can be repurposed for malicious ends.

3. DNS and DMARC Weaknesses: With the SES sandbox no longer an obstacle, the perpetrator registered email identities using both attacker-owned domains and legitimate business domains with weak DMARC protections. Domains with misconfigured or absent DMARC policies became unwitting hosts for spoofed sender addresses. By leveraging these DNS vulnerabilities, the threat actors maximized deliverability rates and evaded email security filters that rely on domain authentication. The absence of strict domain alignment essentially opened the door for a high-volume phishing campaign across multiple industries.

4. Anatomy of the Phishing Campaign: Once email service abuse was firmly entrenched, the attacker launched a tax-related phishing operation targeting various organizations. Using credible email templates that mimicked official tax authorities, they induced recipients to click malicious links and submit sensitive credentials. The campaign’s operational cadence was impressive, dispatching thousands of messages daily, while rotating sender identities to avoid rate-limiting safeguards. The use of well-crafted social engineering content underscored the convergence of traditional phishing tactics with advanced cloud infrastructure exploitation.

5. Lessons Learned and Mitigation Strategies: This incident underscores the critical need for real-time monitoring of cloud services, especially SES, which can be monetized by threat actors once sandbox boundaries are breached. Organizations should enforce strict IAM policies, rotate access keys regularly, and implement anomaly detection for unusual API activity such as multi-regional PutAccountDetails calls. On the domain front, robust DMARC, DKIM, and SPF configurations are essential to prevent unauthorized identity claims. Finally, ongoing threat intel sharing and security awareness training can help defenders spot and disrupt similar phishing campaigns before significant damage occurs.

6. Conclusion: The takeover of a cloud email service through compromised AWS credentials represents a major escalation in phishing capabilities. By combining a novel sandbox escape with domain spoofing and sophisticated social engineering, attackers can weaponize cloud resources at scale. As organizations continue to migrate services to cloud providers, proactive monitoring, rigorous identity verification, and layered email security controls will be indispensable for defending against the next generation of phishing threats.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover