TL;DR: TruffleNet used stolen AWS credentials, valid API calls, and trusted services like SES to run business email compromise at scale, showing how static cloud identities can be abused without malware or a zero-day, according to Defakto Security. The real failure is architectural: long-lived credentials still outlast the runtime context they were meant to represent.
NHIMG editorial — based on content published by Defakto Security: TruffleNet and cloud abuse at scale, an identity architecture failure
By the numbers:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
Questions worth separating out
Q: What breaks when cloud credentials are valid outside their original workload?
A: When a cloud credential can be reused outside the workload that issued it, the identity layer stops distinguishing legitimate execution from attacker replay.
Q: Why do long-lived cloud secrets increase fraud risk in trusted services?
A: Long-lived secrets increase fraud risk because they let attackers operate inside the trust boundary of services like mail delivery, storage, and automation platforms.
Q: How do security teams know if cloud identity controls are failing?
A: The clearest sign is when a stolen credential can be validated, reused, and operationalised from infrastructure that has no relationship to the original workload.
Practitioner guidance
- Eliminate long-lived cloud secrets from high-risk workflows Prioritise AWS access keys and service credentials that can be reused outside their original workload or pipeline.
- Tighten SES and other trusted outbound permissions Review which machine identities can send mail, verify identities, or import signing material.
- Measure identity blast radius before the next audit cycle Map the downstream actions available to each privileged cloud identity, including validation, email sending, and identity configuration.
What's in the full article
Defakto Security's full analysis covers the operational detail this post intentionally leaves for the source:
- The sequence of AWS identity validation and SES abuse that enabled authenticated fraud.
- The specific trust assumptions around verified senders, quotas, and signing material that attackers exploited.
- The business impact areas, including wire fraud, operational disruption, and audit exposure.
- The vendor's architectural argument for dynamic, ephemeral identity instead of static secrets.
👉 Read Defakto Security's analysis of TruffleNet and cloud identity abuse at scale →
Static cloud credentials and TruffleNet: what IAM teams missed?
Explore further
Static cloud identity is the failure mode TruffleNet exposes. The campaign worked because a long-lived credential could exist independently of the workload that issued it, then be replayed from attacker infrastructure without losing legitimacy. That assumption was designed for stable, human-paced access, not for cloud automation that validates identity at machine speed. The implication is that identity programmes must stop treating reusable credentials as a tolerable baseline.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, which helps explain why static cloud secrets still persist in production.
A question worth separating out:
Q: Who is accountable when a trusted cloud identity is used for business email compromise?
A: Accountability sits with the teams that own the workload identity, the cloud service permissions, and the governance model that allowed reusable credentials to persist. Frameworks such as the OWASP Non-Human Identity Top 10 and NIST CSF both point to access control, least privilege, and identity lifecycle ownership as core responsibilities.
👉 Read our full editorial: TruffleNet shows static cloud credentials still fail at scale