AWS SES service modified
Description
AlphaSOC detected modifications to the Amazon Simple Email Service (SES)
configuration using VerifyEmailIdentity
or UpdateAccountSendingEnabled
actions.
These actions are used to add new email identities, enable or disable email
sending capabilities. Threat actors may exploit these features to set up
infrastructure for phishing campaigns or send out spam emails.
Impact
Unauthorized AWS SES modifications could enable threat actors to send phishing emails, spam, or malicious content using the organization's domain, damaging its reputation.
Severity
Severity | Condition |
---|---|
Informational | AWS SES service modified |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user or role responsible for the AWS SES modifications. Verify if the change was authorized and part of legitimate business processes. If unauthorized, revert the changes and revoke any compromised credentials.
Known False Positives
- Planned changes to AWS SES configuration as part of application updates or migrations