Skip to main content

AWS SES service modified

ID:aws_ses_modified
Data type:AWS CloudTrail
Severity:
Informational
MITRE ATT&CK:TA0040:T1496.004

Description

AlphaSOC detected modifications to the Amazon Simple Email Service (SES) configuration using VerifyEmailIdentity or UpdateAccountSendingEnabled actions. These actions are used to add new email identities, enable or disable email sending capabilities. Threat actors may exploit these features to set up infrastructure for phishing campaigns or send out spam emails.

Impact

Unauthorized AWS SES modifications could enable threat actors to send phishing emails, spam, or malicious content using the organization's domain, damaging its reputation.

Severity

SeverityCondition
Informational
AWS SES service modified

Investigation and Remediation

Review AWS CloudTrail logs to identify the user or role responsible for the AWS SES modifications. Verify if the change was authorized and part of legitimate business processes. If unauthorized, revert the changes and revoke any compromised credentials.

Known False Positives

  • Planned changes to AWS SES configuration as part of application updates or migrations