About
Verified Amazon Simple Email Service (SES) identities are a valuable targets for attackers, who are often looking for ways to send spam or phishing emails.
Understanding Impact
Business Impact
Attackers can use verified email sending identities to send spam or phishing emails to a large number of recipients, potentially damaging the reputation of the organization.
Technical Impact
When an attacker gains access to an AWS account, they can use the Amazon SES service to send spam or phishing emails. Attackers often create new verified identities or turn on email sending in the account to send spam or phishing emails.
Detection
You can identify enumeration of SES configuration settings using the following CloudTrail events:
ses:GetAccountSendingEnabled
ses:GetSendQuota
ses:ListIdentities
ses:GetIdentityVerificationAttributes
Attackers frequently create new verified identities or turn on e-mail sending in the account, which you can detect using the CloudTrail events ses:VerifyEmailIdentity and ses:UpdateAccountSendingEnabled.
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.discovery.ses-enumerateSee also the related documentation.
How Datadog can help
Cloud SIEM
Datadog Cloud SIEM detects this attack using the following out-of-the-box rules:
References
Following attackers’ (Cloud)trail in AWS
securitylabs.datadoghq.com
The curious case of DangerDev
invictus-ir.com
Compromised AWS Lambda Credentials Led to Phishing Attack
unit42.paloaltonetworks.com