In May 2025, a sophisticated phishing campaign was uncovered that leveraged a compromised AWS access key to abuse the Amazon Simple Email Service (SES). The attacker exploited the stolen key to bypass SES restrictions, enabling them to verify new sender identities and send large volumes of phishing emails. A novel technique was employed involving multi-regional PutAccountDetails API requests, which allowed the attacker to escape the SES sandbox environment—a security control designed to limit new SES accounts' sending capabilities. By escaping this sandbox, the attacker could send emails at scale without immediate detection or throttling. The campaign involved creating multiple email identities using both attacker-owned domains and legitimate domains that had weak or misconfigured DMARC (Domain-based Message Authentication, Reporting & Conformance) policies. This weakness allowed the phishing emails to appear more credible and evade some email authentication checks. The phishing lures primarily focused on tax-related themes, aiming to steal credentials from targeted organizations. This incident highlights the critical risk posed by compromised cloud credentials, especially for services like SES that can be monetized by attackers to conduct large-scale phishing operations. The abuse of SES in this manner demonstrates how cloud service features and APIs can be manipulated to bypass traditional security controls. The campaign also underscores the importance of monitoring cloud service usage patterns, enforcing strict identity and access management (IAM) policies, and ensuring robust email authentication configurations such as DMARC, SPF, and DKIM to reduce the risk of domain spoofing and phishing. Indicators of compromise include domains such as docfilessa.com, managed7.com, street7market.net, and street7news.org, which were used as sender identities in the phishing campaign. Although no known exploits in the wild or specific threat actors have been identified, the campaign's medium severity rating reflects the significant potential for credential theft and organizational impact.

For European organizations, this threat poses a substantial risk to both confidentiality and operational integrity. The phishing campaign's focus on tax-related lures is particularly relevant in Europe, where tax compliance and reporting are critical and often complex. Successful credential theft could lead to unauthorized access to sensitive financial and personal data, resulting in data breaches, financial fraud, and reputational damage. The abuse of SES to send phishing emails from seemingly legitimate domains can undermine trust in corporate communications and increase the likelihood of successful social engineering attacks. Moreover, the use of compromised AWS keys highlights the risk of cloud infrastructure abuse, which can lead to indirect costs such as increased cloud service charges, blacklisting of legitimate domains, and disruption of email communications. European organizations relying heavily on AWS SES for transactional or marketing emails may face challenges in detecting and mitigating such abuse promptly. The campaign also raises concerns about the security posture of organizations' cloud credentials and the effectiveness of their email authentication policies, which are critical for compliance with GDPR and other data protection regulations in Europe.

1. Implement strict IAM controls: Enforce least privilege access for AWS credentials, rotate keys regularly, and monitor for unusual API activity, especially for SES-related actions such as PutAccountDetails. 2. Enable multi-factor authentication (MFA) for all AWS accounts and use AWS CloudTrail and AWS Config to monitor and alert on suspicious activities. 3. Harden email authentication: Deploy and enforce strong DMARC policies with quarantine or reject actions, alongside correctly configured SPF and DKIM records, to prevent domain spoofing. 4. Monitor SES usage patterns: Set up anomaly detection for SES sending volumes, new verified identities, and multi-region API calls to detect sandbox escape attempts. 5. Conduct regular phishing awareness training focused on tax-related and financial scams, tailored to the organization's regional context. 6. Use threat intelligence feeds to block or monitor communications involving the identified malicious domains (docfilessa.com, managed7.com, street7market.net, street7news.org). 7. Implement network-level and endpoint protections to detect and block phishing payloads and credential harvesting attempts. 8. Review and audit cloud service configurations periodically to ensure no excessive permissions or misconfigurations exist that could be exploited.