Detect Cloud Service Hijacking in Microsoft Sentinel
Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, impacting hosted service availability and incurring significant financial costs for victims. Primary attack vectors include: (1) Email/SMS spam campaigns abusing AWS Simple Email Service (SES), AWS Simple Notification Service (SNS), SendGrid, and Twilio to send bulk phishing or spam messages using the victim's service quotas and sending reputation; (2) LLMJacking, where adversaries use stolen cloud credentials to proxy AI model inference requests (AWS Bedrock, Azure OpenAI) through reverse proxies, effectively monetizing access to expensive LLM compute while billing the victim; (3) Enabling previously inactive cloud SaaS services and immediately exploiting them at scale. Threat actor DangerDev (documented by Invictus IR) abused AWS SES for large-scale phishing campaigns, SNS Sender toolkits (documented by SentinelOne) enable SMS pumping at scale, and LLMJacking campaigns (documented by Sysdig and Lacework) demonstrate adversaries reselling stolen LLM API access.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1496 Resource Hijacking
- Sub-technique
- T1496.004 Cloud Service Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1496/004/
KQL Detection Query
let LookbackPeriod = 24h;
let SESHighVolumeThreshold = 100;
let SNSHighVolumeThreshold = 200;
let LLMHighVolumeThreshold = 50;
let SESSpamOps = dynamic(["SendEmail", "SendRawEmail", "SendBulkTemplatedEmail", "SendBulkEmail", "SendTemplatedEmail"]);
let SNSSpamOps = dynamic(["Publish", "PublishBatch"]);
let LLMOps = dynamic(["InvokeModel", "InvokeModelWithResponseStream", "CreateModelInvocationJob", "InvokeAgent"]);
// Branch 1: High-volume SES email sending (spam or phishing campaigns)
let SESAbuse = AWSCloudTrail
| where TimeGenerated > ago(LookbackPeriod)
| where EventSource =~ "ses.amazonaws.com"
| where EventName in (SESSpamOps)
| where isempty(ErrorCode)
| summarize EventCount = count(),
UniqueIPs = dcount(SourceIPAddress),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by bin(TimeGenerated, 1h), UserIdentityArn, UserIdentityType, SourceIPAddress, AWSRegion
| where EventCount > SESHighVolumeThreshold
| extend ServiceAbused = "AWS SES",
AttackPattern = "High-Volume Email Sending — Possible Spam or Phishing Campaign",
RiskLevel = "High";
// Branch 2: High-volume SNS publishing (SMS spam or pumping)
let SNSAbuse = AWSCloudTrail
| where TimeGenerated > ago(LookbackPeriod)
| where EventSource =~ "sns.amazonaws.com"
| where EventName in (SNSSpamOps)
| where isempty(ErrorCode)
| summarize EventCount = count(),
UniqueIPs = dcount(SourceIPAddress),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by bin(TimeGenerated, 1h), UserIdentityArn, UserIdentityType, SourceIPAddress, AWSRegion
| where EventCount > SNSHighVolumeThreshold
| extend ServiceAbused = "AWS SNS",
AttackPattern = "High-Volume SMS Publishing — Possible SMS Pumping",
RiskLevel = "High";
// Branch 3: LLMJacking — high-frequency AI model invocations from Bedrock
let LLMJacking = AWSCloudTrail
| where TimeGenerated > ago(LookbackPeriod)
| where EventSource =~ "bedrock.amazonaws.com"
| where EventName in (LLMOps)
| where isempty(ErrorCode)
| summarize EventCount = count(),
UniqueIPs = dcount(SourceIPAddress),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by bin(TimeGenerated, 1h), UserIdentityArn, UserIdentityType, SourceIPAddress, AWSRegion
| where EventCount > LLMHighVolumeThreshold
| extend ServiceAbused = "AWS Bedrock",
AttackPattern = "High-Frequency LLM Invocation — Possible LLMJacking",
RiskLevel = "High";
// Branch 4: Service enablement immediately followed by high-volume usage (DangerDev pattern)
let ServiceEnablement = AWSCloudTrail
| where TimeGenerated > ago(LookbackPeriod)
| where EventName in ("CreateEmailIdentity", "VerifyEmailIdentity", "PutIdentityPolicy",
"SetSMSAttributes", "CreateTopic",
"PutFoundationModelEntitlement", "CreateFoundationModelAgreement",
"PutModelInvocationLoggingConfiguration")
| where isempty(ErrorCode)
| project EnableTime = TimeGenerated, UserIdentityArn, EnableEvent = EventName, SourceIPAddress, AWSRegion;
let ServiceUsage = AWSCloudTrail
| where TimeGenerated > ago(LookbackPeriod)
| where EventSource in ("ses.amazonaws.com", "sns.amazonaws.com", "bedrock.amazonaws.com")
| where EventName in ("SendEmail", "SendRawEmail", "Publish", "PublishBatch", "InvokeModel", "InvokeModelWithResponseStream")
| where isempty(ErrorCode)
| summarize UsageCount = count(), FirstUsage = min(TimeGenerated)
by UserIdentityArn, UsageEvent = EventName;
let EnableThenAbuse = ServiceEnablement
| join kind=inner ServiceUsage on UserIdentityArn
| where FirstUsage > EnableTime and FirstUsage < (EnableTime + 6h)
| where UsageCount > 10
| extend ServiceAbused = "Multiple SaaS Services",
AttackPattern = strcat("Service Enabled Then Immediately Abused: ", EnableEvent, " -> ", UsageEvent),
RiskLevel = "Critical";
// Union all detection branches
SESAbuse
| union SNSAbuse
| union LLMJacking
| union (
EnableThenAbuse
| project TimeGenerated = EnableTime, ServiceAbused, AttackPattern, RiskLevel,
EventCount = UsageCount, UserIdentityArn, UserIdentityType = "",
SourceIPAddress, AWSRegion, UniqueIPs = 1,
FirstSeen = EnableTime, LastSeen = FirstUsage
)
| project TimeGenerated, ServiceAbused, AttackPattern, RiskLevel, EventCount,
UserIdentityArn, UserIdentityType, SourceIPAddress, AWSRegion,
UniqueIPs, FirstSeen, LastSeen
| sort by EventCount descDetects cloud service hijacking (T1496.004) across AWS SaaS services using AWS CloudTrail logs ingested into Microsoft Sentinel via the AWS CloudTrail connector (AWSCloudTrail table). Four detection branches: (1) AWS SES SendEmail/SendRawEmail/SendBulkEmail operations exceeding 100 per hour per IAM principal — indicating spam or phishing campaigns; (2) AWS SNS Publish/PublishBatch operations exceeding 200 per hour — indicating SMS pumping; (3) AWS Bedrock InvokeModel/InvokeModelWithResponseStream operations exceeding 50 per hour — indicating LLMJacking; (4) Service enablement events (identity verification, topic creation, model entitlement grants) followed by high-volume service usage within 6 hours — the DangerDev/SNS Sender enable-then-abuse pattern. All branches filter for successful operations via empty ErrorCode to reduce noise from access-denied events.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate email marketing campaigns using AWS SES with high send volumes for newsletters, product launches, or promotional blasts — verify against scheduled marketing activities in change management systems
- Application notification services sending high volumes of transactional emails via SES for password resets, order confirmations, or system alerts during peak traffic periods
- Legitimate ML/AI production workloads running batch inference via AWS Bedrock for model evaluation pipelines, A/B testing, or high-throughput production inference services
- DevOps or QA environments running load tests against SES/SNS messaging endpoints that generate artificially high send volumes
- Automated CI/CD pipelines executing integration tests that exercise SES/SNS endpoints as part of end-to-end test suites
Other platforms for T1496.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS SES High-Volume Email Sending Simulation
Expected signal: AWS CloudTrail: 10 events with EventName=SendEmail, EventSource=ses.amazonaws.com, originating from the caller IAM ARN and source IP. CloudWatch Metrics: SES NumberOfEmailsSent increments by 10. Sentinel AWSCloudTrail table: events appear within 5 minutes of AWS CloudTrail delivery delay.
- Test 2AWS SNS SMS Publishing Burst with Promotional Configuration
Expected signal: AWS CloudTrail: SetSMSAttributes event (RequestParameters shows DefaultSMSType=Promotional), CreateTopic event with TopicName=argus-t1496004-test, and 5 x Publish events, all from the same IAM ARN within a short time window. CloudWatch: SNS NumberOfMessagesSent and SMSMonthToDateSpentUSD metrics increment.
- Test 3AWS Bedrock LLM Invocation Burst (LLMJacking Simulation)
Expected signal: AWS CloudTrail: 15 x EventName=InvokeModel, EventSource=bedrock.amazonaws.com, with ModelId=amazon.titan-text-lite-v1 in RequestParameters, all from same IAM ARN and source IP. CloudWatch: Bedrock InvocationCount metric increments by 15. If Bedrock invocation logging is enabled, S3 or CloudWatch Logs capture input prompts and responses.
- Test 4SES Service Enablement Then Immediate Abuse Pattern
Expected signal: AWS CloudTrail: CreateEmailIdentity event followed within seconds by SendEmail event (possibly ErrorCode=MessageRejected if unverified), then GetEmailIdentity event — all from same IAM ARN and source IP within a 1-2 minute window. The sub-minute gap between CreateEmailIdentity and SendEmail is the key forensic indicator.
References (12)
- https://attack.mitre.org/techniques/T1496/004/
- https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
- https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/
- https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/
- https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
- https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
- https://docs.aws.amazon.com/ses/latest/dg/monitor-sending-activity.html
- https://docs.aws.amazon.com/sns/latest/dg/sms_stats_cloudwatch.html
- https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html
- https://docs.microsoft.com/en-us/azure/sentinel/connect-aws-cloudtrail
- https://docs.splunk.com/Documentation/AddOns/released/AWS/CloudTrail
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md
Unlock Pro Content
Get the full detection package for T1496.004 including response playbook, investigation guide, and atomic red team tests.