Security dashboard monitoring suspicious SES activity

In May 2025, researchers uncovered a large-scale phishing campaign abusing compromised AWS credentials to hijack Amazon Simple Email Service (SES). Attackers exploited the SES Java API to quickly move accounts from sandbox to production mode, enabling them to send over 50,000 malicious emails daily.

Security dashboard monitoring suspicious SES activitySecurity dashboard monitoring suspicious SES activity

Using stolen AWS keys—likely leaked from public repositories or developer machines—the threat actors automated reconnaissance and multi-region requests to maximize email quotas. They verified attacker-owned and weakly protected domains to bypass email security and launched phishing emails themed around 2024 tax forms, directing victims to credential theft sites hidden behind legitimate redirects.

Security dashboard monitoring suspicious SES activitySecurity dashboard monitoring suspicious SES activity

Despite attempts to escalate privileges for higher quotas, attackers operated within standard limits but still caused significant reputational and operational risks. This campaign highlights the dangers of compromised cloud credentials and the need for strict IAM key management, least privilege enforcement, and continuous monitoring of SES activity to detect suspicious behavior early and prevent abuse.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security