Cloud Abuse At Scale
Fortinet, Friday, October 31st, 2025
Identity compromise remains one of the most pressing threats to cloud infrastructure today. When attackers gain access to valid credentials, they can often bypass the traditional security controls designed to protect those environments.
In AWS, this type of compromise frequently manifests through abuse of the Simple Email Service (SES), one of the most common tactics observed in real-world intrusions. SES offers adversaries a convenient and scalable way to conduct illicit email operations once they've obtained valid AWS access keys.
In recent activity, we identified a campaign in which adversaries used stolen credentials to target SES. As part of this campaign, we uncovered a large-scale attack infrastructure-dubbed TruffleNet-built around the open-source tool TruffleHog, which is used to systematically test compromised credentials and perform reconnaissance across AWS environments. Beyond credential testing, we also observed adversaries leveraging compromised cloud accounts to facilitate downstream Business Email Compromise (BEC) campaigns.