InfoSecBulletin Cybersecurity for mankind
Researchers at Wiz discovered a complex phishing campaign using Amazon’s Simple Email Service (SES) for large-scale attacks, showing how hacked cloud credentials can evade standard email security measures.
The attack, identified in May 2025, began with stolen AWS access keys a common attack vector that Wiz observes “tens of newly compromised cloud access keys each month.”
Microsft warns of active directory and office vulnarabilty
(CVE-2025-10159)
Sophos Addressed Critical Auth Bypass flaw in Wireless Access Points
1.6M fitness phone call recordings exposed online
Microsoft September Patch Tuesday 2025 fixes 81 flaws, two zero-days
Elastic Security Incident : Hackers Accessed Email Account Contains Valid Credentials
Hacker Exploit Amazon SES to Send 50K Phishing Emails
SafePay Ransomware
SafePay Ransomware Attacks 73 Orgs in a Single Month
Bangladesh Cyber Threat Landscape- 2024
602 Vuln exploited: Afftected daily 905 IP In Bangladesh in 2024
AI-powered malware hit 2,180 GitHub accounts in “s1ngularity” attack
ISC2 Aims to Bridge DFIR Skill Gap with New Certificate
the attacker’s careful strategy to increase their email sending abilities from limited “sandbox” mode to full production access.
From Sandbox to Production: A Technical Breakdown:
Amazon SES has strict rules for new accounts, allowing only 200 emails a day to verified addresses.
The attacker confirmed their stolen credentials had SES permissions and then launched a rapid automated attack across all AWS regions using PutAccountDetails requests. This technique was previously undocumented.
“Within a span of just ten seconds, we observed a burst of PutAccountDetails requests that fanned out across all AWS regions,” the Wiz research team noted. This automation successfully convinced AWS support to approve the account for production mode, removing sending restrictions and increasing the daily quota to 50,000 emails.
The attacker used a seemingly normal explanation from a construction company to successfully pass AWS’s review.
When efforts to boost limits via support tickets failed due to permission issues, the threat actor moved ahead with the 50,000-email capacity.
Infrastructure and Impact:
The campaign set up a complex phishing setup using both attacker-owned domains (managed7.com, street7news.org, street7market.net, docfilessa.com) and weakly protected legitimate domains.
Email addresses were created using common business prefixes like admin@, billing@, and sales@, lending credibility to the malicious messages.
A phishing campaign targeted various organizations with tax-related emails, such as “Your 2024 Tax Form(s) Are Now Ready to View and Print,” leading victims to credential theft sites. The attackers used commercial traffic analysis to bypass security scanners and track engagement rates.
The attack shows serious weaknesses in cloud security. Besides the phishing risk, SES abuse can lead to reputational harm, operational issues from complaints, and signals a larger issue of AWS credential theft.
Organizations can protect against attacks by using Service Control Policies to block unused SES access, regularly rotating IAM keys, enforcing least-privilege principles, and monitoring CloudTrail logs for suspicious activities like unusual PutAccountDetails requests and sender identity additions.
The campaign shows that attackers are using legitimate cloud services for large operations, shifting costs and damage to their victims.
