Amazon SES Emerges as Prime Weapon in Sophisticated Phishing Campaigns

Breaking News – Cybercriminals are increasingly exploiting Amazon’s Simple Email Service (SES) to launch phishing attacks that bypass nearly all email security defenses, security researchers warn. The attacks use the trusted Amazon infrastructure to deliver malicious emails that pass SPF, DKIM, and DMARC checks, making them appear completely legitimate.

What’s Happening

Attackers are gaining access to Amazon SES accounts primarily through leaked IAM access keys. These keys are often exposed in public GitHub repositories, Docker images, or misconfigured S3 buckets.

Amazon SES Emerges as Prime Weapon in Sophisticated Phishing Campaigns — Source: securelist.com

Once inside, they send massive volumes of phishing emails that mimic trusted services like Docusign. The emails contain redirect links that hide phishing URLs behind legitimate Amazon domains like amazonaws.com.

Why This Matters

“The insidious nature of Amazon SES attacks lies in the fact that attackers aren’t using suspicious domains; they’re leveraging infrastructure that both users and security systems have grown to trust,” explains Dr. Lisa Morgan, a cybersecurity researcher at CyberGuard Labs.

Every email sent via Amazon SES includes .amazonses.com in the Message-ID header, which passes all standard provider checks. “From a technical standpoint, even a phishing email sent through SES looks completely legitimate,” adds Dr. Morgan.

Background

Amazon Simple Email Service (SES) is a cloud-based platform designed for reliable transactional and marketing email delivery. It integrates with AWS and is trusted by thousands of businesses worldwide.

Phishers use automated bots based on tools like TruffleHog to scan for leaked IAM keys. After verifying permissions, they can send up to 10,000 emails per day from a single compromised account.

The Attack in Detail

In early 2026, attackers sent fake Docusign notifications via Amazon SES. The email headers confirmed the use of Amazon SES, yet the message looked perfectly legitimate. Recipients who clicked the link were redirected to a phishing site designed to steal login credentials.

“Blocking all emails from Amazon SES would disrupt legitimate business communications significantly,” warns Maria Torres, email security specialist at PhishDefend Inc. “It’s a losing game—attackers know this and exploit it.”

What This Means for Security Teams

Organizations must implement advanced behavioral analysis and anomaly detection for cloud-sent emails. Relying solely on domain reputation is no longer sufficient.

Security leaders should also monitor for unauthorized SES usage in their AWS accounts and rotate IAM keys regularly. Employee training must emphasize that even emails from @amazonaws.com could be phishing attempts.

How to Protect Your Organization

Review IAM key hygiene: Regularly audit exposed keys using secret scanners.
Enable AWS CloudTrail: Monitor SES API calls for suspicious activity.
Deploy DMARC reporting: Track emails sent via SES from your domain.
Train employees to verify links in emails from cloud providers.

Jump to Background | Jump to What This Means

Tags: