Amazon SES increasingly abused in phishing to evade detection
Source: Bleeping Computer
Abuse of Amazon SES for Phishing
The Amazon Simple Email Service (SES) is being increasingly abused to send convincing phishing emails that can bypass standard security filters and render reputation‑based blocks ineffective.
Although the service has been leveraged for malicious activity in the past, the current spike may be due to a large number of AWS Identity and Access Management (IAM) access keys exposed in public assets. Because SES is a legitimate, trusted resource, phishing operations can use it to send malicious emails that pass authentication checks.
Kaspersky researchers note in a report that they have “observed an uptick in phishing attacks leveraging Amazon SES” to deliver links that redirect to malicious sites.
Headers on phishing email
Source: Kaspersky
Sources of Leaked Credentials
The researchers believe the main driver of this abuse is the increasing exposure of AWS credentials in:
- GitHub repositories
.ENVfiles- Docker images
- Backups
- Publicly accessible S3 buckets
Finding the access keys is typically done in an automated way using bots built on the open‑source TruffleHog utility, which scans for leaked secrets. Threat actors now rely on automated attacks that streamline secret scanning, permission validation, and email distribution, enabling unprecedented levels of abuse.
“After verifying the key’s permissions and email sending limits, attackers are equipped to spread a massive volume of phishing messages,” – Kaspersky.
Observed Attack Techniques
Based on their findings, the researchers say that the phishing quality is high, featuring custom HTML templates that mimic real services and realistic login flows. Observed attacks include:
- Fake document‑signing notifications that imitate DocuSign and lead victims to AWS‑hosted phishing pages.
- Business Email Compromise (BEC) attacks with fabricated email threads and fake invoices designed to trick finance departments into making payments.
Fabricated documents supporting the BEC attacks
Source: Kaspersky
By leveraging Amazon SES, attackers no longer need to worry about authentication checks such as SPF, DKIM, and DMARC. Blocking the offending IP addresses is not a viable solution because it would also block legitimate email traffic sent through SES.
Mitigation Recommendations
Kaspersky recommends that organizations:
- Restrict IAM permissions based on the least‑privilege principle.
- Enable multi‑factor authentication for all IAM users.
- Regularly rotate access keys.
- Apply IP‑based access restrictions and encryption controls for SES usage.