Threat Research

Attackers Abuse AWS SES for Phishing Campaign

WizBlog

Wiz Research analyzed a May 2025 campaign where an attacker used compromised AWS access keys to escalate an Amazon SES account from sandbox to production and launch a phishing operation that leveraged verified domains and redirected credential-theft sites. The report highlights novel techniques such as multi-regional PutAccountDetails requests and programmatic CreateCase usage and includes IOCs like domains used for sending and the phishing redirect host. #AmazonSES #PutAccountDetails

Keypoints

  • The attacker began with compromised AWS access keys and used GetCallerIdentity to confirm SES-related permissions before probing SES configuration.
  • Rapid reconnaissance included GetSendQuota and GetAccount calls to determine sandbox status and email quotas.
  • Novel multi-regional bursts of PutAccountDetails requests were used to request production mode, suggesting automation and an attempt to bypass region-level controls.
  • The attacker verified multiple domains (both attacker-owned and weakly protected legitimate domains) and created common sender addresses to support phishing.
  • An attempt to further raise send quotas via the CreateCase API and to attach an IAM policy programmatically failed due to insufficient permissions, but production quota sufficed for the campaign.
  • Phishing emails referenced 2024 tax forms and redirected victims to a credential theft site (irss[.]securesusa[.]com) hidden behind a commercial traffic analysis redirect.
  • Wiz added detections for these behaviors and recommends monitoring for key signals like dormant key activation, spikes in SES API activity, and rapid domain/email identity creation.

MITRE Techniques

  • [T1078.004] Valid Accounts: Cloud Accounts – Used GetCallerIdentity to confirm the compromised key and reveal SES-related naming (“…the access key had ‘ses-‘ embedded in its name…”).
  • [T1526] Cloud Service Discovery – Issued GetSendQuota and GetAccount calls to enumerate SES configuration and determine whether the account was restricted to sandbox limits (“…reveal the current state of the SES configuration and whether the account was still restricted to sandbox limits”).
  • [T1098] Account Manipulation – Performed a burst of PutAccountDetails requests across all AWS regions to request production mode and attempted CreateCase to raise quotas programmatically (“…a burst of PutAccountDetails requests that fanned out across all AWS regions” and “tried to open a support ticket programmatically through the CreateCase API”).
  • [T1098.003] Create or Modify IAM Policy – Attempted to create and attach an IAM policy named ses-support-policy to escalate privileges (“…attempted to escalate their privileges by creating an IAM policy named ses-support-policy and attaching it to the compromised IAM user”).
  • [T1583.001] Acquire Infrastructure: Domains – Added and verified multiple domains (attacker-owned and weakly protected legitimate domains) as email identities to support phishing (“…adding multiple domains as verified identities … The ones owned by the attackers were: managed7.com, street7news.org, street7market.net, docfilessa.com”).
  • [T1584.001] Compromise Infrastructure: Email Accounts – Created email addresses tied to verified domains using common prefixes like admin@, billing@, sales@, noreply@ to serve as sending addresses for phishing campaigns (“…created email addresses tied to these domains, using common prefixes such as: admin@ billing@ sales@ noreply@”).

Indicators of Compromise

  • [Domain ] Sending domains used in campaign – managed7.com, street7news.org, and other attacker-owned domains (street7market.net, docfilessa.com).
  • [URL ] Credential theft redirect/host – irss[.]securesusa[.]com (credential theft site behind a commercial redirect).
  • [API Activity ] Suspicious SES and support APIs – bursts of PutAccountDetails across regions, CreateCase via API (programmatic support ticket attempts) as behavioral IOCs rather than network artifacts.
  • [Email Addresses ] Sender identities used in phishing – common prefixes like admin@, billing@, sales@, noreply@ at the verified domains (used to craft phishing sender addresses).

Read more: https://www.wiz.io/blog/wiz-discovers-cloud-email-abuse-campaign