• Vulnerable U
  • Posts
  • JavaGhost Phishing Campaigns Exploit AWS Misconfigurations to Send Emails from Trusted Domains

JavaGhost Phishing Campaigns Exploit AWS Misconfigurations to Send Emails from Trusted Domains

A sophisticated phishing campaign is exploiting AWS misconfigurations to send emails from trusted domains using Amazon SES and WorkMail. Learn how attackers gain access, evade detection, and persist in compromised AWS environments.

Author

Newsroom
March 06, 2025

Security researchers have uncovered new details about the persistent phishing operations of JavaGhost, a threat actor group that has been actively targeting cloud environments for over five years.

Initially known for website defacements, JavaGhost has evolved into a sophisticated cloud-based phishing operation, leveraging compromised AWS accounts to send phishing emails using Amazon Simple Email Service (SES) and WorkMail.

How JavaGhost Gains Initial Access

JavaGhost exploits misconfigured AWS Identity and Access Management (IAM) policies, allowing them to:

  • Obtain AWS credentials (long-term access keys)

  • Send phishing emails from compromised SES and WorkMail accounts

  • Evade detection by avoiding common AWS API calls

These attacks are not due to AWS vulnerabilities but instead rely on exposed long-term access keys that JavaGhost obtains through various sources, such as misconfigured cloud storage, exposed GitHub repositories, and leaked credentials.

Once they have valid AWS credentials, JavaGhost follows a stealthy approach to evade detection.

Advanced Evasion Techniques

Unlike many cloud attackers who immediately call GetCallerIdentity to confirm access, JavaGhost avoids this common API call to bypass security monitoring. Instead, they use less obvious enumeration techniques such as:

  • GetServiceQuota – Returns AWS service limits, confirming which services are available.

  • GetSendQuota – Checks how many SES emails the compromised account can send.

  • GetAccount – Retrieves email-sending status to determine if SES is active.

By using these alternative API calls, JavaGhost avoids triggering common AWS security alerts that monitor for compromised access keys.

Generating AWS Console Logins for Evasion

To further hide their presence, JavaGhost creates temporary credentials and login URLs instead of using long-term access keys directly. This process involves:

  1. Using GetFederationToken – Generates short-term AWS credentials.

  2. Encoding the URL for AWS login – Ensures seamless access.

  3. Calling GetSigninToken – Creates a valid console access URL.

This allows JavaGhost to log into AWS without using a long-term access key, making it much harder for defenders to detect their presence.

JavaGhost's Phishing Infrastructure in AWS

Once inside an AWS account, JavaGhost builds its phishing infrastructure by abusing SES and WorkMail, allowing them to send phishing emails from legitimate, trusted domains.

Setting Up Phishing Infrastructure

JavaGhost creates SES email identities and domains to send emails from legitimate AWS accounts, bypassing traditional security controls. Their process includes:

  • Registering SES email identities and configuring DKIM settings.

  • Using the Mail-From attribute to disguise phishing emails.

  • Modifying SES Virtual Delivery Manager (VDM) settings for better email delivery.

  • Creating SMTP credentials – Often using default usernames like "ses-smtp-user".

This setup allows JavaGhost phishing emails to appear legitimate, significantly increasing the success rate of their campaigns.

Leveraging WorkMail for Phishing

In addition to SES, JavaGhost abuses AWS WorkMail to establish a trusted email-sending infrastructure. They do this by:

  • Creating WorkMail Organizations within compromised AWS accounts.

  • Registering multiple fake WorkMail users for phishing operations.

  • Generating IAM credentials for SMTP email sending.

Since WorkMail is a legitimate business email platform, phishing emails sent through this method appear even more credible to targets.

Persistence and Lateral Movement

To maintain long-term access, JavaGhost creates multiple IAM users and roles with AdministratorAccess. These accounts act as persistent backdoors, allowing the attackers to regain access even if initial credentials are revoked.

IAM Backdoor Techniques

JavaGhost ensures persistence by:

  1. Creating new IAM users – Often with generic names to blend into legitimate environments.

  2. Attaching the AdministratorAccess policy – Giving them full control over the AWS account.

  3. Using IAM roles with trust policies – Allowing external attacker-controlled AWS accounts to assume these roles, making them harder to detect.

Leaving a Calling Card

In many cases, JavaGhost creates EC2 security groups named:

"Java_Ghost"

With the description:

"We Are There But Not Visible"

This matches their historic JavaGhost website slogan, acting as a calling card left inside compromised AWS accounts.

JavaGhost’s Unique Attack Techniques

In addition to stealing AWS credentials and sending phishing emails, JavaGhost has been observed:

  • Leaving AWS Organizations – Removes restrictive security controls imposed by an AWS organization (CloudTrail event: LeaveOrganization).

  • Enabling All AWS Regions – Activates AWS regions that are disabled by default to evade detection (CloudTrail event: EnableRegion).

These actions allow JavaGhost to expand their attack surface, making detection and response more challenging.

How to Detect and Mitigate JavaGhost Attacks

While JavaGhost’s tactics are advanced, their activity leaves a clear footprint in AWS CloudTrail logs.

Indicators of Compromise (IoCs) in AWS CloudTrail

Defenders should monitor AWS logs for suspicious IAM actions, SES usage, and WorkMail activity. Some key indicators include:

Suspicious IAM Activity

  • IAM User CreationCreateUser events with AdministratorAccess attached.

  • IAM Role CreationCreateRole with trust policies allowing access from external AWS accounts.

  • Federation Token AbuseGetFederationToken and GetSigninToken calls.

SES & WorkMail Abuse

  • Creation of SES Email IdentitiesCreateEmailIdentity events.

  • SMTP User CreationCreateUser events with "ses-smtp-user" prefixes.

  • WorkMail User RegistrationRegisterToWorkMail logs.

Other Malicious Actions

  • EC2 Security Groups Named "Java_Ghost"

  • LeaveOrganization events (attempts to remove an AWS account from an organization).

  • EnableRegion events (indicating activation of AWS regions that are disabled by default).

Defensive Recommendations

Organizations using AWS should proactively secure their environments by implementing the following best practices:

  • Rotate IAM credentials regularly – Reduce the risk of long-term key exposure

  • Enable multi-factor authentication (MFA) – Protect IAM users and API access

  • Use short-term access tokens – Minimize risk by avoiding long-term credentials

  • Monitor AWS CloudTrail logs – Look for unusual IAM, SES, and WorkMail activity

  • Enforce least privilege IAM policies – Limit user and service permissions to only what is necessary.

Conclusion

JavaGhost has evolved from a website defacement group into a sophisticated cloud-based phishing operation. By leveraging compromised AWS environments, the group bypasses traditional email security measures, making their attacks more effective and harder to detect.

However, all of JavaGhost's activities generate CloudTrail logs, providing defenders with a clear path for detecting and mitigating these attacks.

Organizations must strengthen their AWS security posture to prevent attackers like JavaGhost from exploiting misconfigurations and weak IAM policies. Proactive monitoring, proper IAM hygiene, and strong authentication measures are essential to keeping cloud environments secure.