Cybersecurity

An advanced cybercriminal campaign has emerged, exploiting Amazon Simple Email Service (SES) to conduct extensive phishing operations, delivering over 50,000 malicious emails daily. This represents a significant evolution in cloud service misuse, utilizing AWS’s legitimate bulk email platform for credential theft and financial fraud.

Technical Details

The campaign initiates with compromised AWS access keys, acquired through methods such as public exposure in code repositories, misconfigured cloud assets, or theft from developer workstations. Once obtained, adversaries utilize GetCallerIdentity requests to assess permissions, specifically targeting accounts with SES access.

Researchers at Wiz.io identified this campaign in May 2025, observing unusual AWS API activity across multiple regions. Attackers employ a sophisticated multi-regional approach, executing PutAccountDetails requests across all AWS regions within seconds to bypass SES’s default “sandbox” restrictions. This technique allows them to exceed the standard 200-email daily limit and unlock production mode capabilities.

Phishing Techniques

The phishing infrastructure uses tax-related content to target victims, with subject lines such as “Your 2024 Tax Form(s) Are Now Ready to View and Print” to enhance engagement. These emails direct recipients to credential harvesting sites hosted on domains like irss.securesusa.com, using commercial traffic analysis services to evade security scanners.

Infrastructure and Evasion

The attackers establish their email infrastructure via systematic domain verification using the CreateEmailIdentity API. They register both attacker-controlled domains and legitimate domains with weak DMARC configurations to facilitate email spoofing. Verified domains support multiple email addresses with standard prefixes like admin@, billing@, and noreply@ to appear legitimate.

The campaign’s technical sophistication includes automated privilege escalation attempts. When standard quotas are insufficient, attackers create support tickets through the CreateCase API and attempt to establish IAM policies named “ses-support-policy” for enhanced permissions. Although these attempts failed, the 50,000-email daily quota suffices for their operations.

This SES abuse campaign highlights the potential for cloud services designed for legitimate purposes to be weaponized at scale, underscoring the need for enhanced monitoring of dormant access keys and unusual cross-regional API activity in cloud environments.