<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS SNS - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-sns/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 14:13:23 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-sns/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS SNS Topic Message Published by Rare User</title><link>https://feed.craftedsignal.io/briefs/2026-07-aws-sns-rare-user/</link><pubDate>Wed, 15 Jul 2026 14:13:23 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-aws-sns-rare-user/</guid><description>This high-severity threat involves adversaries publishing messages to an AWS SNS topic using compromised credentials, identified when a user or role performs this action for the first time, potentially facilitating phishing campaigns, data exfiltration, or lateral movement within an AWS environment.</description><content:encoded><![CDATA[<p>Adversaries are leveraging compromised AWS credentials to publish messages to Amazon Simple Notification Service (SNS) topics, a tactic detected when the publishing user or role is observed performing this action for the first time. This behavior, often indicative of an attack, can be exploited for various malicious purposes, including launching phishing campaigns, exfiltrating sensitive data, or achieving lateral movement within the AWS cloud environment. SNS topics are critical infrastructure for sending notifications and messages to subscribed endpoints such as applications, mobile devices, or email addresses, making them a valuable target for distributing malicious content or extracting information. The detection relies on AWS CloudTrail logs, specifically monitoring <code>sns.amazonaws.com:Publish</code> events with <code>outcome:success</code>, focusing on activities from previously unobserved or rarely active entities to identify anomalous and potentially malicious usage.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An adversary successfully compromises an AWS IAM user account or role, an EC2 instance, or gains access through a vulnerable application, acquiring valid AWS credentials.</li>
<li><strong>Privilege Escalation/Lateral Movement</strong>: The adversary uses the initial compromise to identify and leverage permissions that allow interaction with AWS SNS, or moves laterally to an environment where such permissions are already available.</li>
<li><strong>SNS Topic Message Publication</strong>: Using the compromised credentials, the adversary publishes a message to an existing SNS topic. This action often appears as a rare or novel behavior for the specific user or role performing it, triggering anomaly detection.</li>
<li><strong>Message Delivery</strong>: The malicious message is then delivered to all configured subscribed endpoints of the SNS topic, which can include email addresses, SMS recipients, Amazon SQS queues, or AWS Lambda functions.</li>
<li><strong>Malicious Activity Execution</strong>: Depending on the attacker's objective, the published message might contain phishing links targeting internal users, exfiltrated sensitive data embedded within the message, or commands intended for further lateral movement or resource hijacking.</li>
<li><strong>Impact</strong>: The successful delivery of the malicious message results in various impacts such as successful phishing campaigns, unauthorized data exfiltration, further compromise of systems, or disruption of business operations.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of SNS topic publishing can lead to severe consequences for an organization. Adversaries can initiate targeted phishing campaigns against internal employees or external customers by distributing malicious links or content via SMS or email subscribers, leading to further credential theft or malware infection. Sensitive data exfiltration can occur if an attacker publishes proprietary information to an SNS topic with external subscriptions. Furthermore, the ability to control message distribution can facilitate lateral movement within the cloud environment by triggering malicious Lambda functions or sending instructions to other compromised systems, potentially leading to widespread system compromise, resource hijacking, or service disruption.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS SNS Topic Message Publish Detected&quot; to your SIEM and configure it to identify anomalous behavior by users or roles rarely observed publishing SNS messages.</li>
<li>Ensure that AWS CloudTrail data events are enabled for SNS topic logging to capture the <code>Publish</code> action as specified in the rule's <code>setup</code> section.</li>
<li>Investigate <code>aws.cloudtrail.user_identity.arn</code>, <code>source.ip</code>, and <code>user_agent.original</code> fields from the <code>aws.cloudtrail</code> logs for any SNS <code>Publish</code> events that are flagged.</li>
<li>If unauthorized activity is confirmed, disable the <code>aws.cloudtrail.user_identity.access_key_id</code> or IAM role associated with the malicious user, as suggested in the &quot;Response and Remediation&quot; section.</li>
<li>Audit IAM policies associated with users and SNS topics to ensure appropriate permissions are in place, as recommended in the &quot;Review Policies and Subscriptions&quot; section.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>lateral-movement</category><category>exfiltration</category><category>impact</category><category>command-and-control</category></item></channel></rss>