Cybercriminals Exploit Amazon Simple Email Service to Dispatch Over 50,000 Malicious Emails Daily

A sophisticated cybercriminal campaign has emerged, exploiting Amazon’s Simple Email Service (SES) to conduct large-scale phishing operations capable of delivering over 50,000 malicious emails daily. This attack signifies a notable evolution in cloud service abuse, transforming AWS’s legitimate bulk email platform into a tool for credential theft and financial fraud. The campaign initiates with compromised AWS access keys, which are obtained through common attack vectors such as accidental public exposure in code repositories, misconfigured cloud assets, or theft from developer workstations. Once adversaries secure these credentials, they probe the environment using GetCallerIdentity requests to assess available permissions, specifically targeting accounts with SES-related naming conventions that indicate email service access. Researchers from Wiz.io identified this May 2025 campaign after detecting unusual patterns in AWS API activity across multiple regions.

The attackers exhibit remarkable sophistication by implementing a multi-regional approach, simultaneously issuing PutAccountDetails requests across all AWS regions within seconds to evade SES’s default “sandbox” restrictions. This previously undocumented technique allows threat actors to bypass the standard 200-email daily limit and unlock production mode capabilities. The phishing infrastructure targets victims with convincing tax-related content, employing subject lines such as “Your 2024 Tax Form(s) Are Now Ready to View and Print” to maximise engagement rates. These messages redirect users to credential harvesting sites hosted at domains like irss.securesusa.com, utilising commercial traffic analysis services to obfuscate malicious infrastructure and evade traditional security scanners. The attackers establish their email infrastructure through systematic domain verification using the CreateEmailIdentity API, registering both attacker-controlled domains and legitimate domains with weak DMARC configurations that facilitate email spoofing. 

Categories: Cybercrime, Cloud Service Abuse, Phishing Operations 

Tags: Cybercriminal, Phishing, Amazon SES, Credential Theft, AWS Access Keys, Cloud Service Abuse, Email Spoofing, Multi-Regional Approach, Domain Verification, Privilege Escalation