{
  "name": "From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover",
  "slug": "from-compromised-keys-to-phishing-campaigns-inside-a-cloud-email-service-takeover",
  "description": "An AWS access key compromise led to a sophisticated SES abuse campaign in May 2025. The attacker exploited the stolen key to bypass SES restrictions, verify new sender identities, and conduct a large-scale phishing operation. They used multi-regional PutAccountDetails requests to escape the SES sandbox, a novel technique in SES abuse. The campaign involved creating multiple email identities using attacker-owned and legitimate domains with weak DMARC protections. The subsequent phishing campaign targeted various organizations, using tax-related lures to steal credentials. This incident highlights the importance of monitoring cloud service usage, especially for services like SES that can be exploited for monetization.",
  "published": "2025-09-04T21:40:56+00:00",
  "created_at": "2025-09-04T21:40:56+00:00",
  "modified_at": "2025-09-05T06:47:40+00:00",
  "created_at_opencti": "2025-09-04T21:40:56+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-09-04",
    "aws",
    "cloud security",
    "email service",
    "phishing",
    "sandbox escape"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "street7news.org"
      },
      {
        "id": "",
        "name": "managed7.com"
      },
      {
        "id": "",
        "name": "street7market.net"
      },
      {
        "id": "",
        "name": "docfilessa.com"
      }
    ],
    "attack_patterns": [
      {
        "id": "9ea66d8f-e2d8-4ff4-9475-71b2008fb4df",
        "name": "T1526"
      },
      {
        "id": "d19f56ca-5ce8-4bd1-af90-7d83e394470c",
        "name": "T1583.001"
      }
    ]
  },
  "external_refs": [
    "https://www.wiz.io/blog/wiz-discovers-cloud-email-abuse-campaign",
    "https://otx.alienvault.com/pulse/68ba2388d5fc0ba4d6317ac6"
  ]
}