A Rapid7 investigation reveals that attackers bypass SES sandbox controls by pivoting to AWS WorkMail to run phishing and spam infrastructure from compromised victim environments. The incident begins with exposed credentials found via tools like TruffleHog, allowing attackers to hijack a victim’s infrastructure and push large campaigns.
Amazon SES places new accounts in a sandbox limited to 200 emails a day, but the attackers moved to WorkMail, which offers an alternative sending pathway with far fewer upfront restrictions, according to Rapid7. By provisioning mailboxes within the victim’s WorkMail environment and creating legitimate-looking domains such as ipad-service-london[.]com, the attackers could launch campaigns immediately while establishing sender reputation from inside the victim’s own AWS infrastructure.
The report notes that sending via WorkMail’s SMTP endpoint creates a significant CloudTrail blind spot, enabling stealthy activity; Rapid7 advises combining preventive guardrails with focused detection and, for organisations that do not use WorkMail, explicitly blocking it with SCPs. 30 January 2026. according to Rapid7.