Cloud-Native Phishing Infrastructure via Abused AWS WorkMail (Campaign)

Threat actors abused exposed long-term AWS credentials to perform IAM reconnaissance, escalate privileges, and operationalize phishing by sending emails from victim-owned AWS WorkMail (after SES sandbox limits hindered large-scale use). By leveraging WorkMail's lighter controls and Amazon's sender reputation, attackers can cheaply and stealthily send external phishing with minimal centralized telemetry, creating detection blind spots and putting any organization with leaked credentials and permissive IAM policies at risk.