Cybercriminals are increasingly using AWS misconfigurations to launch phishing campaigns via Amazon Simple Email Service (SES) and WorkMail. This is not a vulnerability in AWS itself, but rather errors within companies' configuration and security policies. The insidious thing about it is that the attacks appear to come from a trustworthy source because the emails are sent via legitimate but compromised AWS access.
For CEOs, CIOs and CISOs, this means a new dimension of threat: **Their own IT infrastructure can become a weapon against their partners, customers or even internal teams.** Anyone who still thinks that cloud security configurations are a purely technical question of detail not only risks data loss, but also significant reputational damage and regulatory penalties.
The recent waves of attacks show a recurring pattern: Criminals, in this case a group called JavaGhost, do not buy access or crack passwords, but use unsecured AWS credentials that companies themselves have left unprotected.
These credentials – in the form of Identity and Access Management (IAM) keys – are often made public through misconfigurations in development environments or poorly secured repositories. JavaGhost uses this data to connect to legitimate AWS accounts and build phishing infrastructures there.
1. AWS credentials found unsecured: Be it through publicly accessible environment variables, leaked configuration files or negligently used access keys.
2. Attackers generate temporary AWS credentials: These give them short-term access to the affected account.
3. SES and WorkMail are used for phishing campaigns: The victims receive deceptively real emails from seemingly authorized senders.
4. Data theft or manipulation: Attackers gain access to other systems through malicious links or attachments.
A core problem here: Because SES and WorkMail operate directly from AWS servers, they bypass many traditional email security measures such as SPF, DKIM or DMARC checks. This means that even well-protected companies can be affected by these phishing attempts.
Many companies still rely on traditional protection mechanisms such as firewalls and email gateways. But these measures are not effective with cloud services such as AWS.
The following reasons contribute to this:
Cloud environments are dynamic:
Companies often adapt their infrastructure, access data and authorizations at short notice. Misconfigurations inevitably arise - but often go unnoticed.
Security teams underestimate internal risks:
Even if companies have solid external defenses, the biggest vulnerability often remains internal: Misconfigurations, human errors and lack of monitoring.
Trust factor through AWS:
Since the phishing emails are sent from Amazon servers, they appear inconspicuous to mail filters and often end up directly in the inbox.
For companies affected by such attacks – whether as direct victims or as unwitting accomplices through compromised AWS accounts – the impact can be devastating:
Financial damage and operational downtime
Phishing often enables damage to large systems, which can lead to production downtime and operational disruptions.
loss of reputation
When a company enables phishing attacks through its own infrastructure, the trust of customers, partners and investors suffers.
Regulatory consequences and penalties
Data protection authorities such as the GDPR or the BSI could hold companies accountable if negligent handling of sensitive data is proven.
Companies cannot rely on technical departments or individual cloud teams when it comes to security. Cloud security is a strategic management task.
Important measures:
1. Review AWS IAM policies regularly
AWS access data must be strictly restricted and regularly reviewed. The principle of least privilege access must be implemented.
2. Enable automated monitoring and logging
AWS CloudTrail and other security monitors must be configured to quickly detect and remediate suspicious activity.
3. Phishing simulations and awareness raising in the company
Employees must be specifically trained not to blindly trust emails that have a legitimate origin.
4. Conduct a professional safety assessment
A regular cloud security audit by experts can uncover vulnerabilities before they are exploited by hackers.
ProSec is a leader in IT security consulting and helps companies to set up their cloud environments securely and in compliance. Our approach is:
Cyberattacks on cloud environments are no longer just a technical problem. They are a serious threat to business models and company values. Let's work together to ensure that your company does not become the next headline of a cyberattack.
