Intel Name: Javaghost’s persistent phishing attacks from the cloud
Date of Scan: March 3, 2025
Impact: High
Summary: The attack exploited overly permissive IAM permissions to abuse the victim’s Amazon SES and WorkMail services for sending phishing messages. JavaGhost gains an advantage by using other organizations’ AWS environments, avoiding costs for created resources. By leveraging preexisting SES infrastructure, the threat actor can send phishing emails that bypass security protections, as they appear to come from a legitimate source that the target organization has previously interacted with.
