Cybersecurity researchers at Wiz have uncovered a sophisticated phishing campaign that exploited Amazon’s Simple Email Service (SES) to launch massive-scale attacks, demonstrating how compromised cloud credentials can be weaponized to bypass traditional email security defenses.
The attack, identified in May 2025, began with stolen AWS access keys a common attack vector that Wiz observes “tens of newly compromised cloud access keys each month.”
However, what made this campaign particularly dangerous was the attacker’s methodical approach to escalating their email sending capabilities from Amazon’s restricted “sandbox” mode to unrestricted production access.
From Sandbox to Production: A Technical Breakdown
Amazon SES operates under strict default limitations, restricting new accounts to sending just 200 emails per day to verified addresses only.
The attacker, after confirming their stolen credentials had SES permissions through reconnaissance calls, launched an automated assault across all AWS regions using rapid-fire PutAccountDetails requests a previously undocumented multi-regional technique.
“Within a span of just ten seconds, we observed a burst of PutAccountDetails requests that fanned out across all AWS regions,” the Wiz research team noted. This automation successfully convinced AWS support to approve the account for production mode, removing sending restrictions and increasing the daily quota to 50,000 emails.
The attacker’s justification was deceptively mundane: a generic construction company explanation that appeared legitimate enough to pass AWS’s review process.
When attempts to further increase limits through programmatic support tickets failed due to insufficient permissions, the threat actor proceeded with the substantial 50,000-email capacity.
Infrastructure and Impact
The campaign established a sophisticated phishing infrastructure using both attacker-controlled domains (managed7.com, street7news.org, street7market.net, docfilessa.com) and legitimate domains with weak DMARC protections.
Email addresses were created using common business prefixes like admin@, billing@, and sales@, lending credibility to the malicious messages.
The phishing campaign targeted multiple organizations with tax-themed lures, using subjects like “Your 2024 Tax Form(s) Are Now Ready to View and Print” to redirect victims to credential theft sites. The attackers employed commercial traffic analysis services to both evade security scanners and monitor victim engagement rates.
This attack highlights critical vulnerabilities in cloud security practices. Beyond the immediate phishing threat, SES abuse creates significant risks, including reputational damage, operational disruption from abuse complaints, and serves as an indicator of broader AWS credential compromise.
Organizations can defend against such attacks by implementing Service Control Policies to block unused SES access, regularly rotating IAM keys, enforcing least-privilege principles, and monitoring CloudTrail logs for suspicious API activit,y including multi-regional PutAccountDetails requests and unusual sender identity additions.
The campaign illustrates how attackers are increasingly utilizing legitimate cloud services to conduct large-scale operations, thereby shifting costs and reputational damage onto their victims.
“As always, we encourage all customers to follow recommended security guidance to secure their accounts and prevent abuse. If anyone suspects that AWS resources are being used for abusive activity, they can report it using the report abuse form.” – AWS Spokesperson told Cyber Press Team.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.jpg?resize=1068,580&ssl=1&description=Amazon SES phishing - Cybersecurity researchers at Wiz have uncovered a sophisticated phishing campaign that exploited Amazon's Simple Email.){kind=link}