Stolen AWS credentials and SES abuse: what IAM teams missed

TL;DR: TruffleNet used stolen AWS credentials, automated validation, and Amazon SES abuse to run large-scale BEC phishing across more than 800 hosts in 57 networks, according to Unosecur. The campaign shows that cloud identity compromise can bypass perimeter controls and turn trusted infrastructure into a fraud delivery system.

NHIMG editorial — based on content published by Unosecur: New TruffleNet BEC Campaign Leverages AWS SES Using Stolen Credentials to Compromise 800+ Hosts

By the numbers:

• Organizations that describe themselves as confident in their AI deployment actually experience a 72% security incident rate, compared to 33% for those who remain cautious.

Questions worth separating out

Q: What breaks when stolen AWS credentials can send mail through SES?

A: Traditional perimeter and spam controls break down because the messages originate from a trusted cloud provider and a valid identity.

Q: Why do stolen cloud credentials increase BEC risk so quickly?

A: They let attackers move directly from initial validation to service abuse without exploiting software vulnerabilities.

Q: What do security teams get wrong about AWS access-key exposure?

A: They often treat exposed keys as a single account problem instead of a broader trust problem.

Practitioner guidance

• Instrument credential-verification API calls Alert on GetCallerIdentity, GetSendQuota, and similar identity-check events when they originate from unfamiliar hosts, new geographies, or newly activated accounts.
• Restrict SES permissions by role purpose Separate email-sending entitlements from general AWS access and remove SES permissions from roles that do not explicitly need them.
• Rotate and retire long-lived access keys Inventory all AWS keys, identify dormant and shared credentials, and move high-risk workloads to short-lived identity patterns where possible.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• The exact AWS API sequence used to validate and stage abused credentials, including the reconnaissance pattern around GetCallerIdentity and GetSendQuota.
• The infrastructure indicators tied to the campaign, including the role of Portainer and exposed services across the 800-plus host footprint.
• The email abuse characteristics, such as SES identity creation patterns, typosquatted payment domains, and vendor impersonation examples.
• The immediate remediation checklist and short-term control changes that map the attack chain to specific AWS actions.

👉 Read Unosecur's analysis of the TruffleNet AWS credential abuse campaign →

Stolen AWS credentials and SES abuse: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →