In a recent development, cybercriminals have been found exploiting Amazon’s Simple Email Service (SES) to conduct large-scale phishing campaigns, dispatching over 50,000 malicious emails each day. This marks a significant shift in the misuse of cloud services, turning AWS’s legitimate bulk email platform into a tool for credential theft and financial fraud.
Initial Compromise and Credential Acquisition
The attack begins with adversaries obtaining AWS access keys through various means, such as accidental public exposure in code repositories, misconfigured cloud assets, or theft from developer workstations. Once these credentials are secured, attackers probe the environment using GetCallerIdentity requests to assess available permissions, specifically targeting accounts with SES-related naming conventions that indicate email service access.
Multi-Regional Exploitation and Bypassing SES Restrictions
Researchers at Wiz.io identified this campaign in May 2025 after detecting unusual patterns in AWS API activity across multiple regions. The attackers demonstrated remarkable sophistication by implementing a multi-regional approach, simultaneously issuing PutAccountDetails requests across all AWS regions within seconds. This technique allows them to escape SES’s default sandbox restrictions, which typically limit users to sending 200 emails per day, thereby unlocking production mode capabilities.
Phishing Tactics and Infrastructure
The phishing campaign targets victims with convincing tax-related content, employing subject lines such as Your 2024 Tax Form(s) Are Now Ready to View and Print to maximize engagement rates. These messages redirect users to credential harvesting sites hosted at domains like irss.securesusa.com, utilizing commercial traffic analysis services to obfuscate malicious infrastructure and evade traditional security scanners.
Technical Infrastructure and Evasion Mechanisms
The attackers establish their email infrastructure through systematic domain verification using the CreateEmailIdentity API. They register both attacker-controlled domains, including managed7.com, street7news.org, and docfilessa.com, alongside legitimate domains with weak DMARC configurations that facilitate email spoofing. Each verified domain supports multiple email addresses using standard prefixes like admin@, billing@, and noreply@ to appear legitimate in recipient inboxes.
The campaign’s technical sophistication extends to automated privilege escalation attempts. When standard production quotas proved insufficient, attackers programmatically created support tickets through the CreateCase API and attempted to establish IAM policies named ses-support-policy to gain enhanced permissions. Although these elevation attempts failed due to insufficient privileges, the 50,000-email daily quota remained adequate for their operational requirements.
Implications and Recommendations
This SES abuse campaign demonstrates how cloud services designed for legitimate business purposes can be weaponized at scale. It highlights the critical need for enhanced monitoring of dormant access keys and unusual cross-regional API activity patterns in cloud environments.
Organizations are advised to implement strict IAM policies following the principle of least privilege and enable comprehensive logging of SES activities to mitigate this emerging threat vector. Additionally, deploying email security solutions capable of detecting domain spoofing and inspecting embedded links for redirect chains can help prevent such phishing attacks.
