title: Cloud Service Hijacking (T1496.004)
id: df00tech-t1496-004
status: experimental
description: "Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, impacting hosted service availability and incurring significant financial costs for victims. Primary attack vectors include: (1) Email/SMS spam campaigns abusing AWS Simple Email Service (SES), AWS Simple Notification Service (SNS), SendGrid, and Twilio to send bulk phishing or spam messages using the victim's service quotas and sending reputation; (2) LLMJacking, where adversaries use stolen cloud credentials to proxy AI model inference requests (AWS Bedrock, Azure OpenAI) through reverse proxies, effectively monetizing access to expensive LLM compute while billing the victim; (3) Enabling previously inactive cloud SaaS services and immediately exploiting them at scale. Threat actor DangerDev (documented by Invictus IR) abused AWS SES for large-scale phishing campaigns, SNS Sender toolkits (documented by SentinelOne) enable SMS pumping at scale, and LLMJacking campaigns (documented by Sysdig and Lacework) demonstrate adversaries reselling stolen LLM API access."
references:
  - https://attack.mitre.org/techniques/T1496/004/
  - https://df00tech.com/detections/T1496.004
author: df00tech
date: 2026/04/13
tags:
  - attack.t1496.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate email marketing campaigns using AWS SES with high send volumes for newsletters, product launches, or promotional blasts — verify against scheduled marketing activities in change management systems"
  - "Application notification services sending high volumes of transactional emails via SES for password resets, order confirmations, or system alerts during peak traffic periods"
  - "Legitimate ML/AI production workloads running batch inference via AWS Bedrock for model evaluation pipelines, A/B testing, or high-throughput production inference services"
  - DevOps or QA environments running load tests against SES/SNS messaging endpoints that generate artificially high send volumes
  - Automated CI/CD pipelines executing integration tests that exercise SES/SNS endpoints as part of end-to-end test suites
level: high