Attackers Abuse Amazon SES to Bypass Email Security Filters
Threat actors are increasingly exploiting Amazon Simple Email Service (SES) to deliver high-quality phishing and BEC attacks that bypass traditional email authentication filters.
Cybersecurity researchers at Kaspersky have identified a significant increase in the abuse of Amazon Simple Email Service (SES) to distribute sophisticated phishing campaigns. By leveraging the platform's reputation as a trusted, legitimate email service, attackers are successfully bypassing standard security filters, including SPF, DKIM, and DMARC authentication protocols BleepingComputer.
The technical mechanism behind this abuse relies on the unauthorized acquisition of AWS Identity and Access Management (IAM) access keys. Threat actors are reportedly using automated tools, such as the open-source utility TruffleHog, to scan public repositories, Docker images, backups, and exposed S3 buckets for leaked credentials. Once a valid key is obtained, attackers verify the associated permissions and email-sending limits before automating the distribution of high-volume phishing messages BleepingComputer.
The impact of this activity is substantial due to the high quality of the phishing lures. Kaspersky reports that attackers are utilizing custom HTML templates to mimic legitimate services, such as DocuSign, and are even fabricating complex email threads to facilitate Business Email Compromise (BEC) attacks. These fraudulent communications often include fake invoices designed to deceive finance departments into authorizing illicit payments BleepingComputer.
Defending against this vector is particularly challenging because Amazon SES is a trusted infrastructure. Security teams cannot simply block the IP addresses associated with the service, as doing so would disrupt legitimate business communications. Consequently, organizations must rely on proactive credential management to mitigate the risk. Kaspersky advises companies to enforce the principle of least privilege for IAM roles, mandate multi-factor authentication (MFA), and implement regular key rotation cycles BleepingComputer.
In response to these findings, Amazon emphasized the importance of following their security guidance regarding the protection of credentials. An AWS spokesperson stated that the company takes reports of terms of service violations seriously and encourages users to report suspected abuse directly to AWS Trust & Safety BleepingComputer.
This trend highlights a broader, ongoing shift in the threat landscape where adversaries prioritize the exploitation of legitimate cloud services to maintain persistence and evade detection. As attackers continue to refine their automation capabilities for secret harvesting and campaign distribution, the security of cloud-based identity and access management remains a critical focal point for enterprise defense.