Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail

Introduction

A new wave of phishing campaigns is leveraging misconfigured AWS environments to send malicious emails using Amazon Simple Email Service (SES) and WorkMail. According to Palo Alto Networks Unit 42, threat actors—tracked as TGR-UNK-0011 (also linked to the group known as JavaGhost)—are exploiting exposed AWS access keys to gain unauthorized access and launch phishing attacks.

How the Attack Works

Step 1: Exploiting Misconfigurations

The attackers do not exploit vulnerabilities within AWS itself. Instead, they take advantage of poor AWS configurations, such as exposed IAM access keys left in code repositories or publicly accessible environments. These exposed keys allow attackers to authenticate into AWS environments using the AWS CLI.

Step 2: Establishing Phishing Infrastructure

Once inside the compromised AWS account, attackers create new SES and WorkMail users and generate SMTP credentials to send phishing emails directly from the organization’s trusted domain. This allows the phishing messages to bypass traditional email security filters since they come from legitimate AWS infrastructure.

Step 3: Persistence & Evasion

Attackers set up unused IAM users and new IAM roles with trust policies, allowing them to retain long-term access and hide their true identities. They also create EC2 security groups named "Java_Ghost" with the message "We Are There But Not Visible", leaving a signature calling card in CloudTrail logs.

How to Stay Safe

• Secure Your AWS Keys: Avoid hardcoding access keys in code. Use AWS Secrets Manager or environment variables.
• Monitor CloudTrail Logs: Actively review logs for unusual activities, such as unexpected IAM user creation.
• Implement IAM Best Practices: Apply least privilege access, disable unused users, and enforce multi-factor authentication (MFA).
• Use AWS Config and GuardDuty: Continuously monitor for policy misconfigurations and suspicious activities.
• Regular Security Audits: Conduct periodic Vulnerability Assessments and Penetration Testing (VAPT).

About Indian Cyber Security Solutions (ICSS)

Indian Cyber Security Solutions (ICSS) helps businesses protect their digital transactions through security audits, VAPT, and cybersecurity training. Backed by a proven client portfolio and successful case studies, ICSS empowers businesses to defend against modern threats.

Learn more: Indian Cyber Security Solutions

Conclusion

AWS misconfigurations can turn trusted cloud infrastructure into a phishing tool for attackers. Organizations must implement robust cloud security policies, continuously monitor their environments, and partner with Indian Cyber Security Solutions to ensure their AWS deployments remain secure from exploitation.