Phishing Campaigns Exploit Amazon SES to Evade Detection

May 5, 2026 Faeem AWS, BLOGS 0

Overview Threat actors are increasingly abusing Amazon Simple Email Service (SES) to send phishing emails that appear fully legitimate. Because SES is a trusted AWS platform, emails sent through it carry valid SPF, DKIM, and DMARC authentication headers, allowing them to bypass most email security filters.

How the Abuse Works

  • Trusted Infrastructure: SES is widely used for transactional and marketing emails, making it a trusted sender.
  • Authentication Passed: Phishing emails sent via SES look identical to legitimate communications, passing all technical checks.
  • Message-ID Headers: Often include “.amazonses.com,” reinforcing legitimacy.
  • Common Lures: Fake DocuSign notifications asking recipients to sign documents. Links appear to point to amazonaws.com but redirect to credential-harvesting sites hosted on AWS.

Business Email Compromise (BEC) Angle

Attackers also use SES for BEC campaigns, impersonating employees and vendors:

  • Emails contain forged invoice threads.
  • PDF attachments include fake payment details but no malicious links, making detection harder.
  • Finance teams are pressured into urgent wire transfers.

🛠️ How Attackers Gain Access

  • Leaked IAM Keys: Exposed in GitHub repos, Docker images, .env files, or unsecured S3 buckets.
  • Automated Scanning: Tools like TruffleHog hunt for exposed secrets.
  • Exploitation: Once keys are found, attackers verify permissions and blast phishing emails at scale using legitimate SES accounts.

Defensive Guidance

  • IAM Hygiene:
    • Apply least privilege to IAM keys.
    • Transition from static keys to IAM roles with scoped, temporary permissions.
    • Enable MFA, IP restrictions, and automated key rotation.
    • Use AWS Key Management Service (KMS) for centralized encryption key control.
  • Email Security:
    • Don’t trust emails solely based on sender domain or authentication headers.
    • Verify unexpected documents through separate communication channels.
    • Inspect every link carefully before clicking.

Final Thought

The abuse of Amazon SES shows how attackers are shifting from fake infrastructure to hijacking trusted platforms. By exploiting leaked IAM keys, they weaponize legitimate accounts to send phishing emails that pass every security check. For defenders, the lesson is clear: protecting IAM credentials is now as critical as monitoring phishing lures, because attackers don’t need to break authentication if they can borrow yours.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.