Threat actors abused native AWS email services to build phishing and spam infrastructure inside a compromised cloud environment. After obtaining exposed long-term AWS credentials, the attackers conducted IAM and service reconnaissance to assess email-sending capabilities. While Amazon SES sandbox restrictions initially limited large-scale abuse, the actors pivoted to AWS WorkMail—leveraging its lighter upfront controls—to immediately send externally facing phishing emails from victim-owned infrastructure, benefiting from Amazon’s strong sender reputation and low operational friction.
The investigation shows a staged approach: validating leaked credentials, escalating privileges, preparing persistence, and then operationalizing phishing via WorkMail while waiting for SES quota increases. This technique reduces attacker costs, obscures attribution, and creates monitoring blind spots, especially when SMTP is used for sending email, which generates little to no centralized telemetry. Any organization with leaked AWS credentials and permissive IAM policies—particularly those without explicit WorkMail guardrails—is at risk.