The Gist
When a U.S. company wired $50,000 to what it thought was a legitimate vendor, the transaction looked routine. The email came from a verified domain, sent through Amazon’s cloud infrastructure. But behind the scenes, the entire operation was part of the TruffleNet attack, a coordinated Business Email Compromise (BEC) campaign that used stolen AWS credentials to run large-scale B2B payment fraud.
As first detailed by Fortinet AI, the research division of Fortinet, and reported by Dark Reading, TruffleNet was not a single breach. It was a coordinated, automated campaign that weaponized legitimate cloud tools to validate stolen credentials and infiltrate corporate systems at scale.
Earlier this year, we explored how attackers increasingly exploit platforms like Dropbox and DocuSign to harvest credentials. The TruffleNet attack shows what happens next: when stolen logins become the gateway to large-scale B2B financial fraud.
How the TruffleNet Attack Worked
Step 1: Credential Testing and Reconnaissance
These breaches start with identity. In TruffleNet, attackers began feeding massive lists of compromised usernames and passwords, harvested from prior phishing campaigns and dark web leaks, into automated systems that tested them against live cloud services.
Over 800 hosts across 57 networks performed continuous login attempts, verifying which credentials were still valid. Each success gave attackers a legitimate access point, effectively creating a database of live, trusted identities across multiple enterprises.
Step 2: Abuse of Legitimate Tools and Infrastructure
Once the attackers found valid logins, they didn’t deploy malware or spin up shady servers. Instead, they used Portainer, a legitimate DevOps management tool used daily by IT teams to manage containerized applications.
By using Portainer, their activity looked like normal administrative behavior. There were no malicious files, no known bad IPs, no suspicious network signatures. Everything ran inside trusted infrastructure.
That’s what made TruffleNet so dangerous. Traditional detection tools, trained to look for malicious artifacts or “bad” domains, had nothing to flag.
Step 3: Downstream BEC Attack
Once inside, the attackers moved from reconnaissance to execution, launching a Business Email Compromise campaign using Amazon Web Services’ Simple Email Service (SES).
Through AWS’s legitimate email infrastructure, they sent convincing vendor-onboarding messages impersonating ZoomInfo, requesting a $50,000 wire transfer to an attacker-controlled account.
Because the messages came from AWS servers using valid credentials, they passed every authentication check — SPF, DKIM, and DMARC — and slipped through spam filters untouched. There was no spoofing, no malware, and no compromised domain. The attackers simply leveraged trusted systems to deliver fraud from within.
Step 4: Why This Tactic Is So Effective
As Fortinet’s researchers noted, “valid credentials appear legitimate.” That’s the essence of the TruffleNet model. The attackers didn’t have to hide because their activity was inherently trusted.
Traditional security controls, like firewalls, threat feeds, and malware scanners, are designed to spot what’s known to be bad. But when the activity originates from legitimate users and infrastructure, those controls have nothing to see.
The result is a perfect disguise: no malicious code, no anomalies in traffic patterns, just normal operations — until the money moves.
Trustmi’s Take
TruffleNet isn’t just another BEC case—it’s a preview of where fraud is heading. Fortinet’s findings highlight what Trustmi sees every day: Once attackers gain valid credentials, they don’t need malware or spoofed domains. They simply log in like legitimate users, operate within trusted cloud environments, and trigger payments that appear completely routine.
Identity alone isn’t enough to protect against that. A reliable defense now is visibility into behavior—how users act, how vendors normally operate, and what changes right before a payment is executed. Even Fortinet’s researchers pointed to “behavioral indicators” as the missing signal—exactly the kind of visibility organizations need to spot misuse inside legitimate systems. Without that context, modern fraud blends perfectly into everyday operations until the moment money moves.
The TruffleNet attacks showed what happens when your controls end at the login screen. The next generation of defenses must go further.
To learn how to recognize and prevent these attacks before they reach your inbox, read our guide How to Recognize and Prevent Business Email Compromise in B2B Payments.
