Hackers Exploit Amazon SES to Blast Over 50,000 Malicious Emails Daily
Cybersecurity
A recent cybersecurity breach involved the exploitation of compromised AWS credentials to misuse Amazon’s Simple Email Service (SES), resulting in the transmission of over 50,000 phishing emails daily. This campaign, identified by Wiz Research in May 2025, underscores the misuse of legitimate cloud services for fraudulent activities.
AWS SES Exploitation
The attack began with unauthorized access to AWS credentials, likely obtained through public exposure or theft. The attackers used these credentials to identify SES permissions and subsequently conduct a large-scale phishing operation.
Initially, the attackers conducted reconnaissance using AWS SES’s GetCallerIdentity, GetSendQuota, and GetAccount API calls to assess the account’s capabilities and determine its operational constraints.
Bypassing Security Restrictions
Amazon SES accounts are initially set to “sandbox” mode, limiting the sending of emails. To exploit SES’s full potential, attackers aimed to transition accounts to “production” mode. They submitted requests across multiple AWS regions to maximize their email sending capabilities, eventually gaining approval for production mode access.
Once in production mode, the attackers attempted to expand their email quota through various methods, including programmatic support requests and creating new IAM policies, although these attempts were unsuccessful.
Phishing Campaign Execution
With the phishing infrastructure established, the attackers launched a campaign targeting multiple organizations. The emails, posing as official tax documents, redirected recipients to credential theft sites.
This strategy utilized commercial traffic analysis services to evade security measures and track user interactions.
Security Implications and Risks
The campaign highlights significant security concerns for organizations utilizing cloud services. Attackers can send emails from verified domains, facilitating phishing that mimics legitimate organizational communication. This poses risks such as spear phishing, data theft, and business process masquerading.
Beyond email abuse, compromised AWS credentials indicate broader vulnerabilities, potentially allowing adversaries to execute more damaging activities across cloud infrastructures. Additionally, phishing activities could result in abuse complaints to AWS, disrupting business operations.
Defense and Prevention Strategies
To mitigate SES abuse, organizations should:
- Implement AWS Service Control Policies to restrict unnecessary SES usage.
- Regularly audit and rotate IAM keys to prevent long-term compromise.
- Enforce least privilege principles to control SES access.
- Utilize CloudTrail for comprehensive logging and alerting on SES activity.
- Monitor for multi-regional API requests and other suspicious indicators.
Security platforms like Wiz Defend offer detection rules to identify such attack patterns early, enabling security teams to respond before threats escalate.
The incident emphasizes the need for vigilant monitoring of cloud service usage and maintaining credential security to prevent similar breaches in the future.
