TruffleNet BEC Campaign - AWS SES Credential Abuse
TruffleNet BEC campaign weaponizes stolen AWS credentials to hijack Amazon Simple Email Service for large-scale business email compromise targeting the oil and gas sector. FortiGuard Labs uncovered an attack infrastructure spanning more than 800 unique hosts across 57 Class C networks, all coordinated to abuse AWS SES once valid access keys are obtained. The operation begins with TruffleHog, an open-source secret-scanning tool, systematically validating compromised credentials harvested from exposed repositories, WordPress installations, and misconfigured cloud resources. After confirming credential validity through GetCallerIdentity and GetSendQuota API calls, attackers pivot to identity creation and DKIM key theft from previously compromised domains. By invoking the CreateEmailIdentity API with stolen cryptographic keys, adversaries configure AWS SES to send emails that appear to originate from legitimate companies, bypassing traditional email authentication checks. The infrastructure demonstrates consistent technical fingerprints, including specific port configurations and widespread Portainer container management deployments, suggesting purpose-built attack tooling. The campaign culminated in targeted invoice fraud against oil and gas companies, with attackers impersonating ZoomInfo and requesting $50,000 ACH payments to typosquatted domains. FortiCNAPP successfully detected the operation through composite behavioral analysis, correlating anomalous cloud connections, suspicious automation, and offensive tool usage into high-confidence alerts that enabled rapid response.
CORTEX Protocol Intelligence Assessment
Business Impact: TruffleNet AWS SES BEC operations convert compromised cloud accounts into trusted-looking fraud channels, driving high-success invoice scams and reputational damage for affected brands. Defensive Priority: Treat access keys and SES permissions as crown jewels, with strict least privilege, continuous monitoring, and anomaly detection around identity, email volumes, and DKIM usage. Industry Implications: Cloud-native identity compromise blurs the line between traditional phishing and cloud misuse, demanding joint governance between security, IT, and finance teams.
Strategic Intelligence Guidance
- Audit AWS environments for unused or overly permissive IAM users and access keys, paying special attention to SES-related permissions and cross-account trust policies.
- Implement secret-scanning pipelines that detect exposed AWS keys in code, logs, and WordPress configurations before adversaries can feed them into tools like TruffleHog.
- Deploy behavior-based monitoring for SES that alerts on sudden spikes in send volume, new email identities, or DKIM configurations tied to unfamiliar domains.
- Coordinate with finance and accounts payable teams to verify vendor banking changes out‑of‑band and to flag high-value ACH requests referencing new domains or unusual senders.
Vendors
Threats
Targets
Impact
Data Volume:800+ attacking hosts
Financial:$50,000 per fraudulent invoice attempt
Intelligence Source: TruffleNet BEC Campaign - AWS SES Credential Abuse | Nov 4, 2025