Even if we can't use the SES SendEmail API or we don't want to attract unwanted attention from a defender, we can still abuse SES for phishing if they are using email templates. We can use the SES UpdateTemplate API to update the text/HTML of an email template that is already created in SES. As an attacker, we can use this to basically establish backdoor phishing emails. Let's say Example Co. uses SES templates to send out marketing emails. We, as the attacker, can go in and modify that specific template, where we could insert malicious links and content. Then, every time Example Co. sends out their marketing emails, our malicious links and content will be included, increasing the chances of our attack working by a large amount.

Another attack that could be performed would be to set up a receipt rule that determines what happens with incoming emails to those verified emails/domains. By using the SES CreateReceiptRule API, we could set up a receipt rule that sends all incoming messages to our own S3 bucket in our attacker account, where we could then read for sensitive contents, or a variety of other options supported by receipt rules, such as triggering Lambda functions.