50,000 Emails a Day: How a Cloud Flaw Is Fueling Phishing Campaigns

The Wiz Research team has revealed details of a May 2025 phishing campaign that weaponized Amazon Simple Email Service (SES) using compromised AWS keys. The operation stood out not only for its scale, but also for its use of previously undocumented attack patterns designed to bypass SES restrictions and deliver phishing at industrial scale.

As Wiz explains, “The attacker first compromised an AWS access key… used the compromised key to access the victim’s AWS environment, bypass SES’s built-in restrictions, verify new ‘sender’ identities, and methodically prepare and conduct a phishing operation.”

By default, SES accounts operate in sandbox mode, limited to 200 messages per day sent only to verified addresses. Attackers sought to escape this restriction by abusing the PutAccountDetails API.

Within seconds, Wiz observed the attacker issuing multi-regional PutAccountDetails requests, a tactic not previously documented. According to the report, “Within a span of just ten seconds, we observed a burst of PutAccountDetails requests that fanned out across all AWS regions – a strong indicator of automation and a clear attempt to push the SES account into production mode.”

AWS support approved the request, granting the attacker a quota of 50,000 emails per day, enough to power a significant phishing campaign.

Not content with the default quota, the attacker programmatically opened a support ticket via the CreateCase API, requesting even higher sending limits. They also attempted to escalate privileges by attaching a malicious IAM policy named ses-support-policy to the compromised user.

Both efforts failed due to insufficient permissions, but Wiz highlighted the unusual tradecraft: “The use of CreateCase via API rather than the AWS Console… is uncommon, and serves as another strong indicator of suspicious activity.”

With production mode enabled, the attacker moved quickly to establish their phishing infrastructure. Using the CreateEmailIdentity API, they verified a mix of attacker-owned and weakly protected domains, including:

managed7.com
street7news.org
street7market.net
docfilessa.com

They then created phishing mailboxes with common prefixes such as admin@, billing@, and noreply@.

Wiz collaborated with Proofpoint to confirm that these domains were actively used in a phishing campaign themed around 2024 tax forms. Subjects included: “Your 2024 Tax Form(s) Are Now Ready to View and Print” and “Information Alert: Tax Records Contain Anomalies.” Emails linked to a credential theft site at irss[.]securesusa[.]com, concealed behind a commercial redirect service to bypass security scanners.

While SES is designed for legitimate bulk email, its misuse poses severe risks. Wiz emphasizes:

“If SES is configured in your account, attackers can send email from your verified domains. Beyond brand damage, this enables phishing that looks like it came from you and can be used for spearphishing, fraud, data theft, or masquerading in business processes.”
SES abuse signals that attackers already possess valid AWS credentials, raising the risk of deeper cloud compromise.
Abusive traffic can lead to AWS abuse complaints against the victim organization, causing operational disruption.

This SES abuse campaign demonstrates how attackers transform a single compromised AWS key into a 50,000-email-per-day phishing platform. By abusing production mode, verifying domains, and masking credential theft sites, adversaries blend malicious traffic with legitimate cloud email flows—leaving victims to absorb both reputational and operational fallout.

As Wiz concludes, “SES abuse rarely happens in isolation. It’s a clear indicator that adversaries already control valid AWS credentials that can be expanded into more impactful actions.”

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply