Amazon SES Increasingly Abused to Bypass Phishing Filters
Threat actors are increasingly leveraging Amazon Simple Email Service (SES) to launch sophisticated phishing campaigns that bypass traditional security defenses by exploiting leaked AWS credentials.
Threat actors are increasingly exploiting Amazon Simple Email Service (SES) to distribute high-quality phishing campaigns that bypass traditional security filters. According to researchers at Kaspersky, this surge in abuse is primarily driven by the widespread exposure of AWS Identity and Access Management (IAM) access keys in public repositories, Docker images, and misconfigured S3 buckets BleepingComputer.
The technical mechanism behind these attacks relies on the inherent trust placed in Amazon’s infrastructure. Because Amazon SES is a legitimate, high-reputation service, emails sent through it naturally pass authentication protocols like SPF, DKIM, and DMARC, rendering reputation-based blocking ineffective BleepingComputer. Attackers use automated tools, such as the open-source utility TruffleHog, to scan for leaked credentials. Once a valid key is found, they verify its permissions and email-sending limits before automating the distribution of malicious messages BleepingComputer.
The impact of this abuse is significant, as the phishing emails are often highly convincing. Kaspersky observed attackers using custom HTML templates to mimic legitimate services, such as fake DocuSign document-signing notifications, to direct victims to malicious AWS-hosted pages BleepingComputer. Furthermore, the platform is being leveraged for sophisticated Business Email Compromise (BEC) attacks, where threat actors fabricate entire email threads and send fraudulent invoices to target finance departments BleepingComputer.
Defending against this activity is challenging because standard IP-based blocking is ineffective; blacklisting the IP addresses associated with Amazon SES would inadvertently block legitimate business communications BleepingComputer. Consequently, security teams are urged to adopt a "least privilege" approach to IAM permissions, enforce multi-factor authentication (MFA), and implement regular key rotation BleepingComputer.
In response to the findings, Amazon emphasized its existing security guidance regarding the protection of credentials and unauthorized account access. An AWS spokesperson stated that the company investigates reports of terms of service violations and encouraged users to report suspected abuse directly to AWS Trust & Safety BleepingComputer.
This trend highlights a broader shift in threat actor tactics, where attackers move away from building their own infrastructure toward hijacking trusted, legitimate platforms to evade detection. As organizations continue to move operations to the cloud, the security of IAM credentials remains a critical vulnerability that, if left unmanaged, allows attackers to weaponize the very services intended to support business operations BleepingComputer.