Cloud-Credential Hijack Drives Massive SES Abuse Campaign

What happened

Security researchers at Fortinet uncovered a large-scale cloud abuse operation, dubbed “TruffleNet”, in which attackers used stolen AWS credentials and automation tools (including TruffleHog) to probe hundreds of compromised hosts and then abused the AWS CLI and Amazon Simple Email Service (SES) APIs for downstream fraud and business email compromise (BEC) campaigns.

The campaign affected more than 800 unique IP addresses across 57 Class C networks and utilized SES to send spoofed or otherwise malicious emails from compromised or registered domains.

Who is affected

Any organization using AWS cloud services is in scope: the blog notes that credential theft enables adversaries to bypass traditional security controls.

In this specific instance, the oil & gas sector was targeted via a “vendor-onboarding W-9” scam, which sent a $50,000 ACH payment request after the attacker compromised a domain tied to a legitimate vendor. 

Why CISOs should care

• This attack shows that securing cloud workloads isn’t just about servers and virtual machines. Identity and credential misuse are primary gateways for adversaries.
• The use of native cloud services (SES) for BEC and fraud means attackers can exploit trusted infrastructure, making detection more challenging.
• The scale and automation of the reconnaissance phase (hundreds of nodes) mean that weaknesses in credential hygiene or misconfigured cloud accounts can be rapidly exploited.
• Failure to detect and remediate such misuse can lead to direct financial loss, reputational damage, and downstream compliance risks.

3 Practical Actions

1. Enforce least-privilege access and credential hygiene: Review IAM roles, disable unused access keys, and require MFA for all privileged accounts. Rotate keys regularly and monitor for “GetCallerIdentity” or “GetSendQuota” API calls (indicative of reconnaissance).
2. Monitor cloud APIs and behaviour anomalies: Implement logging of cloud identity and mail-service API usage. Set up alerts for unexpected SES identity creation, “CreateEmailIdentity” or “PutAccountVdmAttributes” calls, especially in regions or accounts that don’t typically use SES. 
3. Detect and respond to BEC via cloud-service abuse: Treat SES (and equivalent services) as part of your attack surface. Include it in your phishing/BEC detection and incident-response playbooks. If outbound email normally flows from on-premises or third-party services, monitor for sudden SES usage. Investigate unexpected domains or DKIM keys added to SES accounts.