T1496.004

Cloud Service Hijacking

Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, impacting hosted service availability and incurring significant financial costs for victims. Primary attack vectors include: (1) Email/SMS spam campaigns abusing AWS Simple Email Service (SES), AWS Simple Notification Service (SNS), SendGrid, and Twilio to send bulk phishing or spam messages using the victim's service quotas and sending reputation; (2) LLMJacking, where adversaries use stolen cloud credentials to proxy AI model inference requests (AWS Bedrock, Azure OpenAI) through reverse proxies, effectively monetizing access to expensive LLM compute while billing the victim; (3) Enabling previously inactive cloud SaaS services and immediately exploiting them at scale. Threat actor DangerDev (documented by Invictus IR) abused AWS SES for large-scale phishing campaigns, SNS Sender toolkits (documented by SentinelOne) enable SMS pumping at scale, and LLMJacking campaigns (documented by Sysdig and Lacework) demonstrate adversaries reselling stolen LLM API access.

Microsoft Sentinel / Defender

kusto

let LookbackPeriod = 24h;
let SESHighVolumeThreshold = 100;
let SNSHighVolumeThreshold = 200;
let LLMHighVolumeThreshold = 50;
let SESSpamOps = dynamic(["SendEmail", "SendRawEmail", "SendBulkTemplatedEmail", "SendBulkEmail", "SendTemplatedEmail"]);
let SNSSpamOps = dynamic(["Publish", "PublishBatch"]);
let LLMOps = dynamic(["InvokeModel", "InvokeModelWithResponseStream", "CreateModelInvocationJob", "InvokeAgent"]);
// Branch 1: High-volume SES email sending (spam or phishing campaigns)
let SESAbuse = AWSCloudTrail
| where TimeGenerated > ago(LookbackPeriod)
| where EventSource =~ "ses.amazonaws.com"
| where EventName in (SESSpamOps)
| where isempty(ErrorCode)
| summarize EventCount = count(),
            UniqueIPs = dcount(SourceIPAddress),
            FirstSeen = min(TimeGenerated),
            LastSeen = max(TimeGenerated)
            by bin(TimeGenerated, 1h), UserIdentityArn, UserIdentityType, SourceIPAddress, AWSRegion
| where EventCount > SESHighVolumeThreshold
| extend ServiceAbused = "AWS SES",
         AttackPattern = "High-Volume Email Sending — Possible Spam or Phishing Campaign",
         RiskLevel = "High";
// Branch 2: High-volume SNS publishing (SMS spam or pumping)
let SNSAbuse = AWSCloudTrail
| where TimeGenerated > ago(LookbackPeriod)
| where EventSource =~ "sns.amazonaws.com"
| where EventName in (SNSSpamOps)
| where isempty(ErrorCode)
| summarize EventCount = count(),
            UniqueIPs = dcount(SourceIPAddress),
            FirstSeen = min(TimeGenerated),
            LastSeen = max(TimeGenerated)
            by bin(TimeGenerated, 1h), UserIdentityArn, UserIdentityType, SourceIPAddress, AWSRegion
| where EventCount > SNSHighVolumeThreshold
| extend ServiceAbused = "AWS SNS",
         AttackPattern = "High-Volume SMS Publishing — Possible SMS Pumping",
         RiskLevel = "High";
// Branch 3: LLMJacking — high-frequency AI model invocations from Bedrock
let LLMJacking = AWSCloudTrail
| where TimeGenerated > ago(LookbackPeriod)
| where EventSource =~ "bedrock.amazonaws.com"
| where EventName in (LLMOps)
| where isempty(ErrorCode)
| summarize EventCount = count(),
            UniqueIPs = dcount(SourceIPAddress),
            FirstSeen = min(TimeGenerated),
            LastSeen = max(TimeGenerated)
            by bin(TimeGenerated, 1h), UserIdentityArn, UserIdentityType, SourceIPAddress, AWSRegion
| where EventCount > LLMHighVolumeThreshold
| extend ServiceAbused = "AWS Bedrock",
         AttackPattern = "High-Frequency LLM Invocation — Possible LLMJacking",
         RiskLevel = "High";
// Branch 4: Service enablement immediately followed by high-volume usage (DangerDev pattern)
let ServiceEnablement = AWSCloudTrail
| where TimeGenerated > ago(LookbackPeriod)
| where EventName in ("CreateEmailIdentity", "VerifyEmailIdentity", "PutIdentityPolicy",
                      "SetSMSAttributes", "CreateTopic",
                      "PutFoundationModelEntitlement", "CreateFoundationModelAgreement",
                      "PutModelInvocationLoggingConfiguration")
| where isempty(ErrorCode)
| project EnableTime = TimeGenerated, UserIdentityArn, EnableEvent = EventName, SourceIPAddress, AWSRegion;
let ServiceUsage = AWSCloudTrail
| where TimeGenerated > ago(LookbackPeriod)
| where EventSource in ("ses.amazonaws.com", "sns.amazonaws.com", "bedrock.amazonaws.com")
| where EventName in ("SendEmail", "SendRawEmail", "Publish", "PublishBatch", "InvokeModel", "InvokeModelWithResponseStream")
| where isempty(ErrorCode)
| summarize UsageCount = count(), FirstUsage = min(TimeGenerated)
            by UserIdentityArn, UsageEvent = EventName;
let EnableThenAbuse = ServiceEnablement
| join kind=inner ServiceUsage on UserIdentityArn
| where FirstUsage > EnableTime and FirstUsage < (EnableTime + 6h)
| where UsageCount > 10
| extend ServiceAbused = "Multiple SaaS Services",
         AttackPattern = strcat("Service Enabled Then Immediately Abused: ", EnableEvent, " -> ", UsageEvent),
         RiskLevel = "Critical";
// Union all detection branches
SESAbuse
| union SNSAbuse
| union LLMJacking
| union (
    EnableThenAbuse
    | project TimeGenerated = EnableTime, ServiceAbused, AttackPattern, RiskLevel,
              EventCount = UsageCount, UserIdentityArn, UserIdentityType = "",
              SourceIPAddress, AWSRegion, UniqueIPs = 1,
              FirstSeen = EnableTime, LastSeen = FirstUsage
  )
| project TimeGenerated, ServiceAbused, AttackPattern, RiskLevel, EventCount,
          UserIdentityArn, UserIdentityType, SourceIPAddress, AWSRegion,
          UniqueIPs, FirstSeen, LastSeen
| sort by EventCount desc

high severity medium confidence

Data Sources

Cloud Service: Cloud Service Enumeration Cloud Service: Cloud Service Modification Application Log: Application Log Content AWS CloudTrail

Required Tables

AWSCloudTrail

False Positives

Legitimate email marketing campaigns using AWS SES with high send volumes for newsletters, product launches, or promotional blasts — verify against scheduled marketing activities in change management systems
Application notification services sending high volumes of transactional emails via SES for password resets, order confirmations, or system alerts during peak traffic periods
Legitimate ML/AI production workloads running batch inference via AWS Bedrock for model evaluation pipelines, A/B testing, or high-throughput production inference services
DevOps or QA environments running load tests against SES/SNS messaging endpoints that generate artificially high send volumes
Automated CI/CD pipelines executing integration tests that exercise SES/SNS endpoints as part of end-to-end test suites

Splunk

spl

index=aws sourcetype="aws:cloudtrail"
(eventSource="ses.amazonaws.com" OR eventSource="sns.amazonaws.com" OR eventSource="bedrock.amazonaws.com")
(eventName="SendEmail" OR eventName="SendRawEmail" OR eventName="SendBulkTemplatedEmail" OR eventName="SendBulkEmail"
 OR eventName="Publish" OR eventName="PublishBatch"
 OR eventName="InvokeModel" OR eventName="InvokeModelWithResponseStream" OR eventName="CreateModelInvocationJob")
NOT errorCode=*
| eval ServiceAbused=case(
    eventSource="ses.amazonaws.com", "AWS SES",
    eventSource="sns.amazonaws.com", "AWS SNS",
    eventSource="bedrock.amazonaws.com", "AWS Bedrock",
    true(), "Unknown"
  )
| eval AttackCategory=case(
    ServiceAbused="AWS SES", "Email Spam or Phishing Campaign",
    ServiceAbused="AWS SNS", "SMS Pumping or Bulk Spam",
    ServiceAbused="AWS Bedrock", "LLM Resource Hijacking (LLMJacking)",
    true(), "SaaS Service Abuse"
  )
| eval CallerARN=coalesce('userIdentity.arn', 'userIdentity.principalId', "unknown")
| eval CallerType=coalesce('userIdentity.type', "unknown")
| bin _time span=1h
| stats count as EventCount,
        dc(sourceIPAddress) as UniqueIPs,
        values(sourceIPAddress) as SourceIPs,
        earliest(_time) as FirstEvent,
        latest(_time) as LastEvent
        by _time, ServiceAbused, AttackCategory, CallerARN, CallerType, awsRegion
| eval Threshold=case(
    ServiceAbused="AWS SES", 100,
    ServiceAbused="AWS SNS", 200,
    ServiceAbused="AWS Bedrock", 50,
    true(), 50
  )
| where EventCount > Threshold
| eval SuspicionScore=case(
    EventCount > Threshold * 10, 3,
    EventCount > Threshold * 3, 2,
    true(), 1
  )
| eval SuspicionScore=SuspicionScore + if(UniqueIPs > 3, 1, 0)
| eval SuspicionScore=SuspicionScore + if(CallerType="AssumedRole", 1, 0)
| eval SuspicionScore=SuspicionScore + if(match(CallerARN, "(temp|tmp|test|anon|random)"), 1, 0)
| sort - SuspicionScore, - EventCount
| table _time, ServiceAbused, AttackCategory, EventCount, Threshold, SuspicionScore,
         CallerARN, CallerType, UniqueIPs, SourceIPs, awsRegion, FirstEvent, LastEvent

high severity medium confidence

Data Sources

Cloud Service: Cloud Service Modification Application Log: Application Log Content AWS CloudTrail

Required Sourcetypes

aws:cloudtrail

False Positives

Legitimate email marketing platforms using AWS SES with high send volumes for newsletters or product launch campaigns
Application notification services with high transactional email volumes (password resets, order confirmations) during peak traffic hours
Production ML/AI workloads running high-throughput batch inference via AWS Bedrock in authorized production pipelines
DevOps load testing environments generating artificially high messaging volumes against SES/SNS endpoints
Automated CI/CD integration tests that exercise SES/SNS APIs as part of end-to-end test suites

Elastic Security (EQL)

eql

// Branch A: Service enablement immediately followed by high-volume abuse (DangerDev pattern)
sequence by aws.cloudtrail.user_identity.arn with maxspan=6h
  [any where event.dataset == "aws.cloudtrail"
   and event.action in (
     "CreateEmailIdentity", "VerifyEmailIdentity", "PutIdentityPolicy",
     "SetSMSAttributes", "CreateTopic",
     "PutFoundationModelEntitlement", "CreateFoundationModelAgreement",
     "PutModelInvocationLoggingConfiguration"
   )
   and (aws.cloudtrail.error_code == null or aws.cloudtrail.error_code == "")]
  [any where event.dataset == "aws.cloudtrail"
   and event.provider in ("ses.amazonaws.com", "sns.amazonaws.com", "bedrock.amazonaws.com")
   and event.action in (
     "SendEmail", "SendRawEmail", "SendBulkTemplatedEmail", "SendBulkEmail",
     "Publish", "PublishBatch",
     "InvokeModel", "InvokeModelWithResponseStream", "CreateModelInvocationJob"
   )
   and (aws.cloudtrail.error_code == null or aws.cloudtrail.error_code == "")] with runs=10

// Branch B: High-frequency SES abuse threshold (deploy as separate Elastic threshold rule: >100 matches/1h by aws.cloudtrail.user_identity.arn)
any where event.dataset == "aws.cloudtrail"
  and event.provider == "ses.amazonaws.com"
  and event.action in ("SendEmail", "SendRawEmail", "SendBulkTemplatedEmail", "SendBulkEmail", "SendTemplatedEmail")
  and (aws.cloudtrail.error_code == null or aws.cloudtrail.error_code == "")

// Branch C: High-frequency SNS abuse threshold (deploy as separate Elastic threshold rule: >200 matches/1h by aws.cloudtrail.user_identity.arn)
any where event.dataset == "aws.cloudtrail"
  and event.provider == "sns.amazonaws.com"
  and event.action in ("Publish", "PublishBatch")
  and (aws.cloudtrail.error_code == null or aws.cloudtrail.error_code == "")

// Branch D: LLMJacking threshold (deploy as separate Elastic threshold rule: >50 matches/1h by aws.cloudtrail.user_identity.arn)
any where event.dataset == "aws.cloudtrail"
  and event.provider == "bedrock.amazonaws.com"
  and event.action in ("InvokeModel", "InvokeModelWithResponseStream", "CreateModelInvocationJob", "InvokeAgent")
  and (aws.cloudtrail.error_code == null or aws.cloudtrail.error_code == "")

high severity high confidence

Data Sources

AWS CloudTrail

Required Tables

logs-aws.cloudtrail-*

False Positives

Marketing automation platforms executing scheduled bulk email sends via SES for newsletters or promotional campaigns — validate against known marketing IAM roles and expected send windows
CI/CD pipelines that provision cloud services and immediately run integration tests, triggering the service enablement + use sequence — baseline known pipeline ARNs and exclude them
Data science teams running large-scale batch inference jobs on Bedrock for model evaluation or production batch scoring pipelines — correlate against change tickets and engineering schedules

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:00:00') AS TimeBucket,
  "EventSource" AS ServiceAbused,
  CASE
    WHEN "EventSource" = 'ses.amazonaws.com' THEN 'Email Spam or Phishing Campaign'
    WHEN "EventSource" = 'sns.amazonaws.com' THEN 'SMS Pumping or Bulk Spam'
    WHEN "EventSource" = 'bedrock.amazonaws.com' THEN 'LLM Resource Hijacking (LLMJacking)'
    ELSE 'SaaS Service Abuse'
  END AS AttackCategory,
  "UserIdentityArn" AS CallerARN,
  "UserIdentityType" AS CallerType,
  sourceip AS SourceIP,
  "AWSRegion",
  COUNT(*) AS EventCount,
  UNIQUECOUNT(sourceip) AS UniqueSourceIPs,
  CASE
    WHEN "EventSource" = 'ses.amazonaws.com' THEN 100
    WHEN "EventSource" = 'sns.amazonaws.com' THEN 200
    WHEN "EventSource" = 'bedrock.amazonaws.com' THEN 50
    ELSE 50
  END AS ServiceThreshold,
  CASE
    WHEN COUNT(*) > (CASE WHEN "EventSource" = 'ses.amazonaws.com' THEN 1000 WHEN "EventSource" = 'sns.amazonaws.com' THEN 2000 ELSE 500 END) THEN 3
    WHEN COUNT(*) > (CASE WHEN "EventSource" = 'ses.amazonaws.com' THEN 300 WHEN "EventSource" = 'sns.amazonaws.com' THEN 600 ELSE 150 END) THEN 2
    ELSE 1
  END AS SuspicionScore
FROM events
WHERE LOGSOURCETYPENAME(devicetype) = 'Amazon AWS CloudTrail'
  AND starttime > NOW() - 86400000
  AND "EventSource" IN ('ses.amazonaws.com', 'sns.amazonaws.com', 'bedrock.amazonaws.com')
  AND "EventName" IN (
    'SendEmail', 'SendRawEmail', 'SendBulkTemplatedEmail', 'SendBulkEmail', 'SendTemplatedEmail',
    'Publish', 'PublishBatch',
    'InvokeModel', 'InvokeModelWithResponseStream', 'CreateModelInvocationJob', 'InvokeAgent'
  )
  AND ("ErrorCode" IS NULL OR "ErrorCode" = '')
GROUP BY
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:00:00'),
  "EventSource",
  "UserIdentityArn",
  "UserIdentityType",
  sourceip,
  "AWSRegion"
HAVING
  ("EventSource" = 'ses.amazonaws.com' AND COUNT(*) > 100) OR
  ("EventSource" = 'sns.amazonaws.com' AND COUNT(*) > 200) OR
  ("EventSource" = 'bedrock.amazonaws.com' AND COUNT(*) > 50)
ORDER BY SuspicionScore DESC, EventCount DESC
LAST 1 DAYS

high severity high confidence

Data Sources

AWS CloudTrail

Required Tables

events (LOGSOURCETYPENAME = 'Amazon AWS CloudTrail')

False Positives

High-volume transactional email systems (order confirmations, password resets) sending through SES can exceed 100/hr during peak traffic — create a QRadar reference set of known legitimate SES IAM ARNs and add an exclusion
SNS-based OTP or push notification systems for mobile apps generating burst traffic during marketing campaigns or user onboarding waves — correlate with application deployment events
Automated ML training pipelines invoking Bedrock for hyperparameter tuning or A/B test evaluation — these run as scheduled AssumedRole sessions and can be allowlisted by role ARN pattern

Sumo Logic CSE

sql

_sourceCategory=*cloudtrail*
| json "eventSource", "eventName", "errorCode", "userIdentity.arn", "userIdentity.type", "sourceIPAddress", "awsRegion", "recipientAccountId" as EventSource, EventName, ErrorCode, UserArn, UserType, SourceIP, AWSRegion, AccountId nodrop
| where isNull(ErrorCode) or ErrorCode = ""
| where EventSource in ("ses.amazonaws.com", "sns.amazonaws.com", "bedrock.amazonaws.com")
| where EventName in (
    "SendEmail", "SendRawEmail", "SendBulkTemplatedEmail", "SendBulkEmail", "SendTemplatedEmail",
    "Publish", "PublishBatch",
    "InvokeModel", "InvokeModelWithResponseStream", "CreateModelInvocationJob", "InvokeAgent"
  )
| eval ServiceAbused = if(EventSource = "ses.amazonaws.com", "AWS SES",
                       if(EventSource = "sns.amazonaws.com", "AWS SNS",
                       if(EventSource = "bedrock.amazonaws.com", "AWS Bedrock", "Unknown")))
| eval AttackCategory = if(ServiceAbused = "AWS SES", "Email Spam or Phishing Campaign",
                        if(ServiceAbused = "AWS SNS", "SMS Pumping or Bulk Spam",
                        if(ServiceAbused = "AWS Bedrock", "LLM Resource Hijacking (LLMJacking)", "SaaS Abuse")))
| eval Threshold = if(ServiceAbused = "AWS SES", 100,
                   if(ServiceAbused = "AWS SNS", 200, 50))
| timeslice 1h
| count as EventCount by _timeslice, ServiceAbused, AttackCategory, Threshold, UserArn, UserType, SourceIP, AWSRegion, AccountId
| where EventCount > Threshold
| eval SuspicionScore = if(EventCount > Threshold * 10, 3,
                        if(EventCount > Threshold * 3, 2, 1))
| eval SuspicionScore = if(UserType = "AssumedRole", SuspicionScore + 1, SuspicionScore)
| sort by -SuspicionScore, -EventCount
| fields _timeslice, ServiceAbused, AttackCategory, EventCount, Threshold, SuspicionScore, UserArn, UserType, SourceIP, AWSRegion, AccountId

high severity high confidence

Data Sources

AWS CloudTrail

Required Tables

_sourceCategory=*cloudtrail*

False Positives

Legitimate marketing email platforms (Klaviyo, HubSpot) relaying through SES will generate high SendEmail volumes on scheduled campaign days — baseline expected send windows and IAM ARN patterns per environment
SNS-backed alerting infrastructure (PagerDuty integrations, CloudWatch alarms) generating burst Publish events during incidents or deployment windows — correlate with ops runbooks
Analytics or content moderation pipelines invoking Bedrock InvokeModel in parallelized batch jobs — these typically run as Lambda execution roles with predictable ARN patterns that can be excluded

Google Chronicle / SecOps

yaral

rule cloud_service_hijacking_aws_ses_high_volume {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects high-volume AWS SES email sending (>100 successful calls per identity per hour) indicating spam or phishing campaigns. MITRE ATT&CK T1496.004 Cloud Service Hijacking — Impact tactic. Documented threat actor: DangerDev (Invictus IR)."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496.004"
    severity = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1496/004/"
    false_positives = "Bulk marketing email sends, transactional notification systems during peak traffic"

  events:
    $e.metadata.product_name = "AWS CloudTrail"
    $e.target.application in nocase ["ses.amazonaws.com"]
    $e.metadata.product_event_type in nocase [
      "SendEmail", "SendRawEmail", "SendBulkTemplatedEmail",
      "SendBulkEmail", "SendTemplatedEmail"
    ]
    NOT $e.security_result.action = "BLOCK"
    $user_arn = $e.principal.user.userid
    $region = $e.principal.location.name

  match:
    $user_arn, $region over 1h

  condition:
    #e > 100
}

rule cloud_service_hijacking_aws_sns_sms_pumping {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects high-volume AWS SNS publishing (>200 successful calls per identity per hour) indicating SMS pumping or bulk spam campaigns. MITRE ATT&CK T1496.004 Cloud Service Hijacking — Impact tactic. Documented toolkits: SNS Sender (SentinelOne research)."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496.004"
    severity = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1496/004/"
    false_positives = "SMS OTP systems, mobile push notification infrastructure, CloudWatch alarm fanout"

  events:
    $e.metadata.product_name = "AWS CloudTrail"
    $e.target.application in nocase ["sns.amazonaws.com"]
    $e.metadata.product_event_type in nocase ["Publish", "PublishBatch"]
    NOT $e.security_result.action = "BLOCK"
    $user_arn = $e.principal.user.userid
    $region = $e.principal.location.name

  match:
    $user_arn, $region over 1h

  condition:
    #e > 200
}

rule cloud_service_hijacking_aws_bedrock_llmjacking {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects high-frequency AWS Bedrock LLM invocations (>50 successful calls per identity per hour) indicating LLMJacking — adversaries using stolen credentials to proxy AI model inference and resell access. MITRE ATT&CK T1496.004. Documented campaigns by Sysdig and Lacework."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496.004"
    severity = "CRITICAL"
    reference = "https://attack.mitre.org/techniques/T1496/004/"
    false_positives = "ML batch inference pipelines, model evaluation jobs, AI-powered application backends during traffic spikes"

  events:
    $e.metadata.product_name = "AWS CloudTrail"
    $e.target.application in nocase ["bedrock.amazonaws.com"]
    $e.metadata.product_event_type in nocase [
      "InvokeModel", "InvokeModelWithResponseStream",
      "CreateModelInvocationJob", "InvokeAgent"
    ]
    NOT $e.security_result.action = "BLOCK"
    $user_arn = $e.principal.user.userid
    $region = $e.principal.location.name

  match:
    $user_arn, $region over 1h

  condition:
    #e > 50
}

rule cloud_service_hijacking_enable_then_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects the DangerDev pattern: a cloud SaaS service (SES, SNS, Bedrock) is enabled or configured by an identity, followed within 6 hours by high-volume API usage from the same identity. Indicates adversaries enabling previously dormant services to abuse at scale immediately after gaining access. MITRE ATT&CK T1496.004."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496.004"
    severity = "CRITICAL"
    reference = "https://attack.mitre.org/techniques/T1496/004/"
    false_positives = "Infrastructure-as-code deployments that provision and immediately test SaaS service endpoints"

  events:
    $enable.metadata.product_name = "AWS CloudTrail"
    $enable.metadata.product_event_type in nocase [
      "CreateEmailIdentity", "VerifyEmailIdentity", "PutIdentityPolicy",
      "SetSMSAttributes", "CreateTopic",
      "PutFoundationModelEntitlement", "CreateFoundationModelAgreement",
      "PutModelInvocationLoggingConfiguration"
    ]
    NOT $enable.security_result.action = "BLOCK"

    $abuse.metadata.product_name = "AWS CloudTrail"
    $abuse.target.application in nocase [
      "ses.amazonaws.com", "sns.amazonaws.com", "bedrock.amazonaws.com"
    ]
    $abuse.metadata.product_event_type in nocase [
      "SendEmail", "SendRawEmail", "Publish", "PublishBatch",
      "InvokeModel", "InvokeModelWithResponseStream"
    ]
    NOT $abuse.security_result.action = "BLOCK"

    $enable.principal.user.userid = $abuse.principal.user.userid
    $enable.metadata.event_timestamp.seconds < $abuse.metadata.event_timestamp.seconds

    $user_arn = $enable.principal.user.userid

  match:
    $user_arn over 6h

  condition:
    #abuse > 10
}

critical severity high confidence

Data Sources

AWS CloudTrail

Required Tables

UDM events (metadata.product_name = 'AWS CloudTrail')

False Positives

Terraform or CloudFormation deployments that call CreateEmailIdentity and then immediately validate the SES configuration with a test send — exclude known IaC execution role ARNs from rule 4
High-traffic production applications using SES or SNS through shared IAM roles will exceed thresholds during peak usage periods — create Chronicle reference lists for known high-volume service account ARNs
Bedrock-backed AI features in production SaaS products may exceed 50 invocations/hr during user traffic spikes — correlate with CloudWatch application metrics and exclude production service role ARNs

CrowdStrike LogScale (CQL)

cql

// High-volume SaaS service abuse: SES, SNS, Bedrock (branches 1-3)
#type="aws:cloudtrail"
| in(field=eventSource, values=["ses.amazonaws.com", "sns.amazonaws.com", "bedrock.amazonaws.com"])
| in(field=eventName, values=[
    "SendEmail", "SendRawEmail", "SendBulkTemplatedEmail", "SendBulkEmail", "SendTemplatedEmail",
    "Publish", "PublishBatch",
    "InvokeModel", "InvokeModelWithResponseStream", "CreateModelInvocationJob", "InvokeAgent"
  ])
| !exists(errorCode)
| ServiceAbused := case {
    eventSource = "ses.amazonaws.com" => "AWS SES";
    eventSource = "sns.amazonaws.com" => "AWS SNS";
    eventSource = "bedrock.amazonaws.com" => "AWS Bedrock";
    * => "Unknown"
  }
| AttackCategory := case {
    ServiceAbused = "AWS SES" => "Email Spam or Phishing Campaign";
    ServiceAbused = "AWS SNS" => "SMS Pumping or Bulk Spam";
    ServiceAbused = "AWS Bedrock" => "LLM Resource Hijacking (LLMJacking)";
    * => "SaaS Service Abuse"
  }
| Threshold := case {
    ServiceAbused = "AWS SES" => 100;
    ServiceAbused = "AWS SNS" => 200;
    ServiceAbused = "AWS Bedrock" => 50;
    * => 50
  }
| timeBucket := formatTime("%Y-%m-%d %H:00", field=@timestamp, timezone="UTC")
| groupBy(
    [timeBucket, ServiceAbused, AttackCategory, Threshold, userIdentity.arn, userIdentity.type, sourceIPAddress, awsRegion],
    function=[
      count(as=EventCount),
      uniqueCount(field=sourceIPAddress, as=UniqueIPs)
    ]
  )
| EventCount > Threshold
| SuspicionScore := case {
    EventCount > Threshold * 10 => 3;
    EventCount > Threshold * 3 => 2;
    * => 1
  }
| SuspicionScore := if(UniqueIPs > 3, SuspicionScore + 1, SuspicionScore)
| SuspicionScore := if(regex("(AssumedRole|FederatedUser)", field=userIdentity.type), SuspicionScore + 1, SuspicionScore)
| SuspicionScore := if(regex("(temp|tmp|test|anon|random|burner)", field=userIdentity.arn), SuspicionScore + 1, SuspicionScore)
| sort(EventCount, order=desc, limit=200)
| select([timeBucket, ServiceAbused, AttackCategory, EventCount, Threshold, SuspicionScore, userIdentity.arn, userIdentity.type, UniqueIPs, sourceIPAddress, awsRegion])

high severity high confidence

Data Sources

AWS CloudTrail

Required Tables

#type=aws:cloudtrail

False Positives

Automated email delivery platforms using SES will spike EventCount during scheduled campaign sends — add known marketing IAM role ARN patterns to a LogScale lookup table and exclude them from threshold evaluation
SNS-backed mobile notification systems generating burst Publish events during app launches, breaking news alerts, or A/B test fanout — correlate with application deployment logs and create time-window exclusions
Bedrock-powered production features (chatbots, content moderation, search) will generate high InvokeModel volumes during traffic spikes — build a baseline per ARN using the LogScale anomaly detection function and alert only on deviations above 3 standard deviations rather than static thresholds

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1496.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Cloud Service Hijacking

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Impact

Popular Detections