Attackers Weaponize Amazon SES to Bypass Email Security in Phishing and BEC Campaigns
Threat actors are increasingly abusing Amazon SES to send phishing and business email compromise emails that pass SPF, DKIM, and DMARC checks, making them appear fully legitimate.
Attackers are increasingly abusing Amazon Simple Email Service (Amazon SES) to bypass email security and deliver convincing phishing and business email compromise (BEC) attacks. According to a report from Securelist, these emails pass all standard authentication checks—SPF, DKIM, and DMARC—and originate from trusted Amazon infrastructure, making them extremely difficult for traditional security tools to detect.
The abuse typically begins with compromised AWS IAM access keys. Attackers use automated tools like TruffleHog to scan public GitHub repositories, configuration files, and other exposed sources for leaked credentials. Once they obtain valid keys with sufficient permissions, they can send thousands of phishing emails through Amazon SES without needing to set up their own domains or mail servers.
In early 2026, observed campaigns include fake DocuSign notifications and fraudulent invoice conversations. The phishing emails contain links to credential-harvesting pages hosted on amazonaws.com domains, which victims trust because of the legitimate-looking URL. The emails themselves are crafted using custom HTML templates and include legitimate Amazon SES headers, further reducing suspicion.
BEC attacks have also been observed. In one case, attackers sent an email that appeared to be a forwarded thread between an employee and a vendor discussing an outstanding invoice. The email requested urgent payment to a fraudulent account. The PDF attachments contained only payment details and supporting documentation, with no malicious links or QR codes, making them harder to flag.
Because the emails originate from Amazon's infrastructure, the sender IP addresses are not on reputation-based blocklists. Blocking all Amazon SES traffic would cause massive false positives, as many legitimate services rely on it for transactional and marketing emails. This makes traditional blocklisting ineffective.
To mitigate these attacks, organizations should secure their AWS credentials by implementing least-privilege access, using IAM roles instead of long-lived access keys, enabling multi-factor authentication, and setting up automated key rotation. Regular security audits and IP-based access restrictions can also help reduce the risk of credential exposure.
Users should remain vigilant and not rely solely on email authentication checks to determine safety. The rise of Amazon SES phishing highlights a broader trend of attackers abusing trusted cloud services to bypass security controls, a challenge that requires both technical and behavioral defenses.