Affected Platforms: Amazon Web Services (AWS)
Impacted Users: Any organization
Impact: Stolen cloud credentials result in significant financial losses, data breaches of sensitive information, operational disruption, and reputational damage.
Severity Level: High

Identity compromise remains one of the most pressing threats to cloud infrastructure today. When attackers gain access to valid credentials, they can often bypass the traditional security controls designed to protect those environments. In AWS, this type of compromise frequently manifests through abuse of the Simple Email Service (SES), one of the most common tactics observed in real-world intrusions. SES offers adversaries a convenient and scalable way to conduct illicit email operations once they’ve obtained valid AWS access keys.

In recent activity, we identified a campaign in which adversaries used stolen credentials to target SES. As part of this campaign, we uncovered a large-scale attack infrastructure—dubbed TruffleNet—built around the open-source tool TruffleHog, which is used to systematically test compromised credentials and perform reconnaissance across AWS environments. Beyond credential testing, we also observed adversaries leveraging compromised cloud accounts to facilitate downstream Business Email Compromise (BEC) campaigns.

This blog outlines both components of the campaign and provides related indicators of compromise (IOCs).

Details on TruffleNet Attack Infrastructure

Recently, we observed the emergence of a new attack infrastructure known as TruffleNet. In one incident involving multiple compromised credentials, we recorded activity from more than 800 unique hosts across 57 distinct Class C networks. This infrastructure was characterized by the use of TruffleHog, a popular open-source secret-scanning tool, and by consistent configurations, including open ports and the presence of Portainer.

The initial TruffleNet connection typically consisted of a simple call to GetCallerIdentity, used to test whether credentials were valid. A separate component of the infrastructure leveraged the AWS CLI to query the GetSendQuota API for Amazon Simple Email Service (SES)—a call frequently seen at the outset of SES abuse.

Notably, the vast majority of TruffleNet IPs showed no bad reputation or antivirus detections. In most cloud-based attacks, source IP addresses are often linked to VPNs, TOR nodes, or other illicit activity. The absence of such associations suggests a dedicated infrastructure built for a specific purpose. Similarly, no follow-on actions or privilege escalations were attempted from these source hosts—only GetSendQuota and GetCallerIdentity calls were observed. This pattern implies a possible tiered infrastructure, with some nodes dedicated to reconnaissance and others reserved for later stages of the attack.

Figure 1: TruffleNet Reconnaissance Topology

Figure 2: TruffleNet ASNs and Ports

Details - Actions on Objectives

While it remains unclear whether the additional SES abuse was directly related, it was observed alongside TruffleNet reconnaissance activity. This abuse involved Business Email Compromise (BEC)—a targeted attack in which scammers impersonate trusted individuals, such as vendors, to commit financial fraud. In this instance, Amazon SES was exploited within the compromised environment to establish sending identities using DomainKeys Identified Mail (DKIM) from previously compromised WordPress sites.

Before carrying out the BEC campaign, the attackers conducted more aggressive cloud reconnaissance, followed by an attempted privilege escalation by creating a new identity. The escalation attempt failed, but one user account possessed sufficient privileges to interact with the SES service.

The following APIs were observed, listed in order of occurrence:

• ListIdentities (SES), T1087.003: Enumerates verified sending identities (domains or emails) to find targets to spoof or identify addresses used for high-volume sending.
• ListServiceQuotas (Service Quotas), T1526: Reveals service limits and quota settings that help attackers map boundaries and plan large-scale or stealthy abuse.
• UpdateLoginProfile (IAM), T1098: Enables an attacker with sufficient IAM privileges to change a user’s console password or sign-in configuration—locking out the legitimate owner or ensuring persistence.
• GetAccount (SESv2), T1525: Returns account-level configuration details such as sending status and region, which attackers can use to fine-tune their campaigns.
• CreateUser (IAM), T1136.003: Allows creation of new IAM users to establish persistent credentials that blend in as legitimate accounts.
• PutAccountDetails (SESv2), T1098: Modifies account contact or metadata to obscure malicious activity, redirect notifications, or change ownership indicators.
• GetSMSAttributes (SNS), T1087: Enumerates SMS configuration or sender IDs to identify potential phone-based vectors or confirm messaging capabilities.
• CreateEmailIdentity (SESv2), T1136.003: Creates or verifies an email identity to send legitimate-looking messages from trusted domains for phishing or spoofing campaigns.
• PutAccountVdmAttributes (SESv2), T1098: Alters delivery and authentication settings (VDM attributes) to improve spoofing success or evade filtering.
• PutAccountDedicatedIpWarmupAttributes (SESv2), T1098: Adjusts dedicated IP warm-up settings to optimize deliverability and reduce throttling or reputation issues.
• GetSendStatistics (SES), T1526: Retrieves send metrics, allowing attackers to measure campaign success and refine tactics while avoiding detection.

The following request parameter was observed for the CreateEmailIdentity API. In this case, the attacker assigned a compromised DKIM key from a WordPress site, allowing AWS SES to send emails on the attacker’s behalf:

{"dkimSigningAttributes":{"domainSigningAttributesOrigin":"AWS_SES_US_EAST_1",

"domainSigningPrivateKey":"HIDDEN_DUE_TO_SECURITY_REASONS"},"emailIdentity":"cfp-impactaction[.]com"}

Figure 4: Identity Compromise and BEC

A total of six email identities were created:

• Cndbenin[.]com
• cfp-impactaction[.]com
• jia[.]com[.]au
• major[.]co
• novainways[.]com
• restaurantalhes[.]com

Several of these domains share a hosting provider in France. While the attacker did not create them, they appear to have been compromised through exploitation of the same vulnerabilities. Some have also been linked to other malicious activity, including XMrig cryptojacking malware and the Coroxy trojan (also known as SystemBC).

Immediately following the attack, the domain cfp-impactaction.com was used in a “BEC vendor onboarding W-9 scam” targeting the oil and gas sector. Attackers sent an invoice purporting to be from ZoomInfo, requesting a $50,000 ACH payment. The attached W-9 contained a publicly available Employer ID number of the impersonated company to lend credibility. The email directed payment inquiries to a typosquatted address:

• zoominfopay[.]com

Conclusion — Defending Against Identity-Driven Cloud Threats

The TruffleNet campaign highlights how quickly threat actors are evolving their tactics to exploit cloud infrastructure at scale. By combining credential theft, reconnaissance automation, and SES abuse, adversaries can weaponize legitimate services to conduct high-volume fraud and Business Email Compromise with minimal detection. Continuous monitoring, least-privilege access, and behavioral analytics are essential to mitigating these risks. Fortinet’s integrated security platform—spanning FortiCNAPP, FortiGate, FortiMail, FortiEDR, and FortiGuard intelligence—provides the visibility and protection organizations need to defend against identity-driven cloud threats.

Fortinet Protections

FortiCNAPP provides comprehensive detection capabilities for the tactics described in this blog. Its composite alerting technology evaluates multiple aspects of cloud-based attacks, including:

• Anomalous cloud connections and suspicious automation activity
• Unusual user behavior and deviations from expected patterns
• Offensive tool usage, including TruffleHog and similar utilities
• SES abuse indicators

Composite alerting is highly effective at detecting identity compromise, which often evades traditional point-based detection. Because valid credentials appear legitimate, they can bypass standard monitoring when no clear indicators of compromise are present. This makes anomaly detection the last—and often most critical—line of defense. Composite alerts analyze both network and behavioral anomalies, generating high-confidence alerts for cloud attacks and identity misuse.

The example below shows an alert generated during this activity.

Figure 6: FortiCNAPP Composite Alert

Additional protections are provided through FortiGate, FortiMail, FortiClient, and FortiEDR, all of which leverage the FortiGuard AntiVirus engine. Customers with these products and up-to-date protections are safeguarded against the threats described.

FortiMail identifies the phishing email as “virus detected.” In addition, real-time anti-phishing protection powered by FortiSandbox, embedded in Fortinet’s FortiMail, web filtering, and antivirus solutions, delivers advanced defense against both known and unknown phishing attempts.

The FortiGuard Content Disarm and Reconstruction (CDR) service, available through FortiGate and FortiMail, removes malicious macros from documents before they can execute.

Organizations are also encouraged to take advantage of Fortinet’s free NSE training module, FCF – Fortinet Certified Fundamentals, which helps users recognize and defend against phishing and other social engineering attacks.

Finally, the FortiGuard IP Reputation and Anti-Botnet Security Service proactively blocks attacks by aggregating malicious source IP data from Fortinet’s distributed network of global sensors, CERTs, MITRE, cooperative partners, and other trusted sources. This continuous intelligence enables up-to-date protection against hostile actors.

If you believe this or any other cybersecurity threat has impacted your organization, please contact the FortiGuard Incident Response Team for immediate assistance.

Indicators of Compromise

As part of this investigation, FortiGuard Labs is publishing a set of indicators to help defenders identify related activity. These include IP addresses linked with the credential testing infrastructure, as well as domains observed in Business Email Compromise (BEC) activity. Security teams should monitor their AWS environments for any matching behavior or API usage.

TruffleNet IOCs

More than 800 source IPs were observed in TruffleNet activity. For a complete list, refer to the associated VirusTotal collection. The following user agents were observed [note that the AWS CLI variants are not unique to TruffleNet].

TruffleHog

• aws-cli/1.42.4 md/Botocore#1.40.4 ua/2.1 os/linux#5.15.0-151-generic md/arch#x86_64 lang/python#3.10.12 md/pyimpl#CPython m/b,D,Z cfg/retry-mode#legacy botocore/1.40.4
• aws-cli/1.42.4 md/Botocore#1.40.4 ua/2.1 os/linux#5.15.0-151-generic md/arch#x86_64 lang/python#3.10.12 md/pyimpl#CPython m/Z,D,b cfg/retry-mode#legacy botocore/1.40.4
• aws-cli/1.42.4 md/Botocore#1.40.4 ua/2.1 os/linux#5.15.0-151-generic md/arch#x86_64 lang/python#3.10.12 md/pyimpl#CPython m/D,b,Z cfg/retry-mode#legacy botocore/1.40.4
• aws-cli/1.42.4 md/Botocore#1.40.4 ua/2.1 os/linux#5.15.0-151-generic md/arch#x86_64 lang/python#3.10.12 md/pyimpl#CPython m/Z,b,D cfg/retry-mode#legacy botocore/1.40.4
• aws-cli/1.42.4 md/Botocore#1.40.4 ua/2.1 os/linux#5.15.0-151-generic md/arch#x86_64 lang/python#3.10.12 md/pyimpl#CPython m/D,Z,b cfg/retry-mode#legacy botocore/1.40.4
• aws-cli/1.42.4 md/Botocore#1.40.4 ua/2.1 os/linux#5.15.0-151-generic md/arch#x86_64 lang/python#3.10.12 md/pyimpl#CPython m/b,Z,D cfg/retry-mode#legacy botocore/1.40.4

BEC IOCs

The following are observed source IPs for the BEC activity. Both IP addresses appear to be MikroTik RouterOS devices and are likely compromised by the attackers

• 175[.]103[.]36[.]74
• 43[.]252[.]9[.]253

The following compromised domains were used to create email identities.

• cdnbenin[.]com
• cfp-impactaction[.]com
• jia[.]com[].au
• majoor[.]co
• novainways[.]com
• restaurantalhes[.]com

User Agents Observed in BEC Compromise:

API-Level Indicators

APIs can also serve as lower-confidence indicators of compromise, revealing attacker tactics, techniques, and procedures (TTPs). Certain combinations of calls are strongly correlated with SES abuse.

For example, calling PutAccountVdmAttributes and PutAccountDedicatedIpWarmupAttributes shortly after GetAccount, GetSendQuota, and ListIdentities, and immediately before or after CreateEmailIdentity, is often a reliable signal of SES abuse.

• PutAccountVdmAttributes provides attackers with insight into inbox placement and delivery diagnostics, enabling them to tune campaigns for higher success rates.
• PutAccountDedicatedIpWarmupAttributes provides visibility into dedicated IP usage and allows attackers to manipulate warm-up settings—either to build a reputation for sustained campaigns or disable limits for rapid, short-term spam bursts.