Amazon SES modification attempt

Goal

Detect when the Amazon Simple Email Service (SES) has been modified. An attacker could modify the AWS Simple Email Service to propagate large scale phishing email campaigns.

Strategy

Monitor CloudTrail and detect when the Amazon SES has been modified with one of the following API calls:

Triage and response

  1. Determine if the API call: {{@evt.name}} should have been made by the user: {{@userIdentity.arn}} from this IP address : {{@network.client.ip}} .
  2. If the action is legitimate, consider including the user in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
  3. If it shouldn’t have been made:
    • Contact the user: {{@userIdentity.arn}} and see if they made the API call.
    • Use the Cloud SIEM - User Investigation dashboard to see if the user {{@userIdentity.arn}} has taken other actions.
    • Use the Cloud SIEM - IP Investigation dashboard to see if there’s more traffic from the IP {{@network.client.ip}}.
  4. If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process and an investigation.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.
  • 1 May 2024 - Updated queries because coverage existed in other OOTB detection rules.