Unexpected AWS API calls indicating SES discovery
Description
AlphaSOC detected AWS API calls associated with Simple Email Service (SES)
discovery, including GetAccountSendingEnabled,
GetIdentityVerificationAttributes, GetSendQuota, and ListIdentities. This
activity may indicate an adversary attempting to gather information about the
AWS SES configuration and capabilities, potentially as part of reconnaissance or
preparation for email-based attacks.
Impact
These actions can expose critical information about an organization’s email infrastructure. Threat actors may use this knowledge to exploit AWS SES for phishing campaigns, spam distribution, or other malicious activities, leading to reputational damage for the organization.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to identify the specific IAM user or role that performed these actions and verify if they were made by authorized personnel or systems. If unauthorized, revoke any compromised credentials and conduct a thorough security assessment of the AWS environment for other signs of compromise.