1) some 20 organisations were created within our Root all with email id with same domain (co.jp)
2) attacker had created multiple fargate templates
3) they created resources in 16-17 AWS regions
4) they requested to raise SES,WS Fargate Resource Rate Quota Change was requested, sage maker Notebook maintenance - we have no need of using these instances (recd an email from aws for all of this)
5) in some of the emails i started seeing a new name added (random name @outlook.com)
I am from the same team & i can concur with what you are saying. I did see a warning about the same key that was used in todays exploit about 2 years ago from some random person in an email. but there was no exploutation till yesterday.