The Amazon Simple Email Service, known as Amazon SES, is increasingly being misused by attackers to send highly convincing phishing emails that can slip past standard security filters and reputation-based protections.
While the service has been abused before, researchers say the recent spike is likely tied to a growing number of exposed AWS Identity and Access Management access keys. These keys are often found in public places like GitHub repositories, .ENV files, Docker images, backups, and open S3 storage.
Because Amazon SES is a trusted and legitimate email platform, attackers can use it to send messages that pass authentication checks without raising immediate suspicion. Researchers at Kaspersky say they have seen a clear increase in phishing campaigns using this method, with emails containing links that redirect users to malicious websites.
The process is largely automated. Attackers use tools like TruffleHog to scan for leaked credentials, then verify what those keys can do and how many emails they can send. Once confirmed, they use them to launch large-scale phishing campaigns.
The emails themselves are becoming more sophisticated. Many include custom HTML templates designed to closely mimic real services, along with realistic login pages. Some attacks pose as document-signing requests that imitate DocuSign, directing users to phishing pages hosted on AWS infrastructure.
In more advanced cases, attackers carry out business email compromise schemes by creating fake email threads. These messages often include fabricated invoices aimed at tricking finance teams into sending payments.
Defending against these attacks is challenging. Blocking the IP addresses used to send the emails is not practical, since doing so could also block legitimate emails sent through Amazon SES.
Researchers recommend limiting IAM permissions using the principle of least privilege, enabling multi-factor authentication, rotating access keys regularly, and applying IP-based restrictions and encryption controls.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
In response, Amazon said users should follow its security guidance to protect accounts from unauthorized access and report any suspected abuse of AWS services to its Trust and Safety team.
