Hackers Turn Cloud Servers Into a Secret Mail Network

A threat actor has hijacked hundreds of AWS, Google Cloud, and Azure servers to build a covert network for sending emails.

A threat actor identified as PCPJack has successfully compromised over 230 cloud servers across Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. According to security researchers, these hijacked servers, located in the U.S., Europe, and Asia, have been secretly converted into an email relay network. The attackers repurpose the servers to function as Simple Mail Transfer Protocol (SMTP) proxies, which are systems designed to send emails on behalf of others. The compromised machines are verified for their mail relay capabilities and then synchronized with a central controller every five minutes. This creates a distributed and resilient infrastructure for the attacker to send large volumes of email from seemingly legitimate sources.

This campaign poses a significant risk to any organization using major cloud platforms. When a server is hijacked for a malicious relay network, the consequences can be severe. The server's IP address can quickly be added to email blacklists, which would block your own legitimate business emails from reaching customers and partners. This can disrupt communications and damage your company's reputation, as your infrastructure becomes associated with spam or phishing campaigns. Furthermore, the unauthorized activity consumes computing resources, leading to unexpected increases in your cloud service bills. The covert nature of the attack means it can go undetected for long periods, silently causing harm.

The PCPJack operation highlights a broader trend of attackers abusing trusted cloud infrastructure to evade security defenses. By routing their malicious traffic through reputable providers like AWS and Google Cloud, they bypass spam filters and security gateways that are more likely to scrutinize traffic from unknown or suspicious IP addresses. This makes their campaigns far more effective. For security and IT teams, this incident underscores the critical need for vigilant monitoring of cloud environments. It is essential to track outbound network traffic, regularly audit server configurations for unauthorized software, and implement strict firewall policies to prevent systems from being co-opted for such attacks.

Attackers are abusing the trusted reputation of major cloud providers to bypass security filters, making their malicious email campaigns more effective and harder to detect.

A compromised server can lead to blacklisted IPs, preventing legitimate emails from being delivered, and cause reputational damage if your company's infrastructure is used for spam or phishing.