From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover

Description

An AWS access key compromise led to a sophisticated SES abuse campaign in May 2025. The attacker exploited the stolen key to bypass SES restrictions, verify new sender identities, and conduct a large-scale phishing operation. They used multi-regional PutAccountDetails requests to escape the SES sandbox, a novel technique in SES abuse. The campaign involved creating multiple email identities using attacker-owned and legitimate domains with weak DMARC protections. The subsequent phishing campaign targeted various organizations, using tax-related lures to steal credentials. This incident highlights the importance of monitoring cloud service usage, especially for services like SES that can be exploited for monetization.