Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Amazon SES

Amazon SES
Amazon SES icon

Out-of-the-Box Security For Amazon SES Includes:

Alerts - 4

Stay on top of Amazon SES key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Modification Attempts Made on SES

This alert triggers when Amazon Simple Email Service (SES) has been modified. Impact SES is a popular target for attackers as it can be abused to send out phishing and spam campaigns at massive rates and from a trusted sender (Amazon). An attacker could modify the AWS Simple Email Service to propagate large-scale phishing email campaigns. Mitigation Determine if the API calls should have been made by the user. If the user is unaware of the call made, investigate further for any malicious activities. MITRE Tactic: TA0040 MITRE Technique: T1496

Building Block - Enumeration Attempts Seen by Previously Unseen User

This alert triggers when the Amazon Simple Email Service (SES) is enumerated by a previously unseen user to get the service quota, identity information, etc. by a user. Impact SES is a popular target for attackers as it can be abused to send out phishing and spam campaigns at massive rates and from a trusted sender (Amazon). Threat actors make 'getservicequota', 'listservicequota', 'listidentities', and 'GetAccountSendingEnabled' calls to get an idea of if the compromised account is capable of sending messages and if yes, how many emails can be sent at once and which emails and domains are registered to send emails. Mitigation Determine if the API calls should have been made by the user. If the user is unaware of the call made, investigate further for any malicious activities. MITRE Tactic: TA0007 MITRE Technique: T1526

Flow Alert - Possible Exploitation of SES Service

This flow alert triggers when after enumerating SES capabilities a user requests for increase in the email sending quota. Impact SES is a popular target for attackers as it can be abused to send out phishing and spam campaigns at massive rates and from a trusted sender (Amazon). Threat actors first enumerate the email sending quota and the associated identity and then based on the available quota may request to increase it so that they can send more spam. Mitigation Determine if the API calls should have been made by the user. If the user is unaware of the call made, investigate further for any malicious activities. MITRE Tactic: TA0001 MITRE Technique: T1566

Building Block - Service Quota Increase Requested

This alert triggers when an increase in Simple Email Service (SES) sending limits is requested. Impact SES is a popular target for attackers as it can be abused to send out phishing and spam campaigns at massive rates and from a trusted sender (Amazon). Threat actors request to increase in Simple Email Service (SES) sending limits so that they can send more spam. Mitigation Determine if the API call should have been made by the user. If the user is unaware of the call made, investigate further for any malicious activities. MITRE Tactic: TA0001 MITRE Technique: T1566

Documentation

Learn more about Coralogix's out-of-the-box integration with Amazon SES in our documentation.

Read More
Schedule Demo