Threat Actors Using AWS WorkMail in Phishing Campaigns by Jan Blazek

Attackers with compromised AWS credentials quickly ran into the SES sandbox buzzkill (200 emails/day) and pivoted to WorkMail instead, which allows sending to far more external recipients with no sandbox restrictions. They registered phishing domains, verified them via SES, spun up WorkMail mailboxes, and sent campaigns that rode Amazon’s sender reputation. Bonus points: emails sent via SMTP don’t generate CloudTrail events, even with SES data events enabled, creating a nice little visibility blind spot for defenders.

Bringing OSS runtime security to AWS: Falco integration with AWS Security Hub CSPM by Dan Belmonte

The folks at Sysdig published a one-click AWS Marketplace solution that deploys the Cloud Native Computing Foundation (CNCF)-graduated Falco runtime security tool to EKS clusters and pipes eBPF-based detections into Security Hub CSPM via CloudWatch and Lambda. It's a corporate blog, so there’s a bit of self-promotion (Falco was originally a Sysdig project), but the integration itself is open source and the MITRE ATT&CK-aligned ruleset for catching shell spawns, privilege escalation, suspicious file access, and unusual network activity in containers is genuinely useful.

Aren't AWS Cloud Investigations the same as On-Prem? - Part 2 (AWS S3) by Chester Le Bron

I like Chester's posts because he always writes from his own experience. S3’s flat namespace, globally unique bucket names, and multi-tier logging model (CloudTrail management events, optional CloudTrail data events at cost, and best-effort server access logs) make investigations a different beast from on-prem NAS forensics. The post walks through how compromised credentials can skip a traditional “login” step, why exfiltration via S3 can slip past conventional data loss prevention (DLP), and how detecting anomalous GetObject calls at scale is both expensive and noisy unless logging and bucket policies are deliberately configured up front.