{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-sns/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS SNS","AWS CloudTrail"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","lateral-movement","exfiltration","impact","command-and-control"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eAdversaries are leveraging compromised AWS credentials to publish messages to Amazon Simple Notification Service (SNS) topics, a tactic detected when the publishing user or role is observed performing this action for the first time. This behavior, often indicative of an attack, can be exploited for various malicious purposes, including launching phishing campaigns, exfiltrating sensitive data, or achieving lateral movement within the AWS cloud environment. SNS topics are critical infrastructure for sending notifications and messages to subscribed endpoints such as applications, mobile devices, or email addresses, making them a valuable target for distributing malicious content or extracting information. The detection relies on AWS CloudTrail logs, specifically monitoring \u003ccode\u003esns.amazonaws.com:Publish\u003c/code\u003e events with \u003ccode\u003eoutcome:success\u003c/code\u003e, focusing on activities from previously unobserved or rarely active entities to identify anomalous and potentially malicious usage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An adversary successfully compromises an AWS IAM user account or role, an EC2 instance, or gains access through a vulnerable application, acquiring valid AWS credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Lateral Movement\u003c/strong\u003e: The adversary uses the initial compromise to identify and leverage permissions that allow interaction with AWS SNS, or moves laterally to an environment where such permissions are already available.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSNS Topic Message Publication\u003c/strong\u003e: Using the compromised credentials, the adversary publishes a message to an existing SNS topic. This action often appears as a rare or novel behavior for the specific user or role performing it, triggering anomaly detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMessage Delivery\u003c/strong\u003e: The malicious message is then delivered to all configured subscribed endpoints of the SNS topic, which can include email addresses, SMS recipients, Amazon SQS queues, or AWS Lambda functions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Activity Execution\u003c/strong\u003e: Depending on the attacker's objective, the published message might contain phishing links targeting internal users, exfiltrated sensitive data embedded within the message, or commands intended for further lateral movement or resource hijacking.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The successful delivery of the malicious message results in various impacts such as successful phishing campaigns, unauthorized data exfiltration, further compromise of systems, or disruption of business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of SNS topic publishing can lead to severe consequences for an organization. Adversaries can initiate targeted phishing campaigns against internal employees or external customers by distributing malicious links or content via SMS or email subscribers, leading to further credential theft or malware infection. Sensitive data exfiltration can occur if an attacker publishes proprietary information to an SNS topic with external subscriptions. Furthermore, the ability to control message distribution can facilitate lateral movement within the cloud environment by triggering malicious Lambda functions or sending instructions to other compromised systems, potentially leading to widespread system compromise, resource hijacking, or service disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS SNS Topic Message Publish Detected\u0026quot; to your SIEM and configure it to identify anomalous behavior by users or roles rarely observed publishing SNS messages.\u003c/li\u003e\n\u003cli\u003eEnsure that AWS CloudTrail data events are enabled for SNS topic logging to capture the \u003ccode\u003ePublish\u003c/code\u003e action as specified in the rule's \u003ccode\u003esetup\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eInvestigate \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e, \u003ccode\u003esource.ip\u003c/code\u003e, and \u003ccode\u003euser_agent.original\u003c/code\u003e fields from the \u003ccode\u003eaws.cloudtrail\u003c/code\u003e logs for any SNS \u003ccode\u003ePublish\u003c/code\u003e events that are flagged.\u003c/li\u003e\n\u003cli\u003eIf unauthorized activity is confirmed, disable the \u003ccode\u003eaws.cloudtrail.user_identity.access_key_id\u003c/code\u003e or IAM role associated with the malicious user, as suggested in the \u0026quot;Response and Remediation\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eAudit IAM policies associated with users and SNS topics to ensure appropriate permissions are in place, as recommended in the \u0026quot;Review Policies and Subscriptions\u0026quot; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T14:13:23Z","date_published":"2026-07-15T14:13:23Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-sns-rare-user/","summary":"This high-severity threat involves adversaries publishing messages to an AWS SNS topic using compromised credentials, identified when a user or role performs this action for the first time, potentially facilitating phishing campaigns, data exfiltration, or lateral movement within an AWS environment.","title":"AWS SNS Topic Message Published by Rare User","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-sns-rare-user/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS SNS","version":"https://jsonfeed.org/version/1.1"}