Published on May 5, 2026
Attackers Abuse Amazon SES to Send Authenticated Phishing Emails That Bypass Security
Severity
Medium
Detail
Threat actors are increasingly leveraging legitimate cloud infrastructure by utilizing Amazon Simple Email Service (Amazon SES) to distribute highly convincing phishing emails that evade traditional security controls. Unlike conventional phishing attacks, emails sent via Amazon SES include valid SPF, DKIM, and DMARC authentication headers, allowing them to pass standard email security checks and appear indistinguishable from legitimate communications.
Security researchers observed a significant increase in such campaigns in early 2026 as these emails originate from trusted infrastructure within Amazon Web Services (AWS), reputation-based filtering and IP blocking become less effective without disrupting legitimate business operations. Common phishing lures include impersonation of electronic signature platforms such as DocuSign, where victims are prompted to review or sign documents. These emails often contain links pointing to AWS-hosted domains, which redirect users to credential harvesting pages.
It is important to note that Amazon SES itself is not compromised; instead, attackers abuse legitimate accounts to carry out these campaigns.
In addition to credential theft, attackers are also conducting Business Email Compromise (BEC) campaigns. These involve sending fake invoice threads or payment requests to finance departments, often using convincing but fraudulent documentation without malicious links, making detection more difficult.
How?
The attack begins when threat actors obtain exposed AWS Identity and Access Management (IAM) access keys, often leaked through public repositories, misconfigured storage, or application files. Using automated tools such as TruffleHog, attackers scan for and identify these credentials. Once a valid key is found, they verify its permissions particularly the ability to send emails via Amazon SES and assess sending limits.
They then use the compromised account to distribute phishing emails at scale through trusted infrastructure under Amazon Web Services, ensuring the messages pass SPF, DKIM, and DMARC authentication checks. These emails may contain links to AWS-hosted credential harvesting pages or include fraudulent business documents in BEC scenarios, making them appear highly legitimate and difficult to detect, especially for systems relying primarily on reputation-based controls.
Mitigation Recommendations
To reduce the risk of abuse involving Amazon Simple Email Service and exposed AWS credentials, organizations and users should implement the following security measures:
- Enforce the principle of least privilege for IAM access keys
- Replace static access keys with IAM roles wherever possible
- Enable multi-factor authentication (MFA) for all AWS accounts
- Rotate access keys regularly and remove unused credentials
- Implement logging and monitoring (e.g., AWS CloudTrail) to detect anomalies
- Apply IP-based access restrictions where feasible
- Use AWS Key Management Service (KMS) for centralized encryption key management
For end users, awareness remains critical:
- Do not rely solely on sender name or domain for trust
- Verify unexpected requests through separate communication channels
- Carefully inspect links before clicking, even if they appear legitimate
Source