Cybercriminals are increasingly leveraging Amazon’s cloud email service, Amazon SES, to distribute phishing emails that appear authentic and effortlessly bypass security measures. This tactic poses significant challenges for organizations trying to protect against phishing attacks.
Exploiting Trust in Amazon SES
Phishing attacks rely on deception, with perpetrators crafting emails that seem legitimate to trick recipients into surrendering sensitive information or funds. As security systems have improved in catching suspicious activities, attackers have shifted to exploiting trusted services like Amazon SES instead of creating fake infrastructure.
Amazon SES is a well-integrated component of the AWS ecosystem, widely trusted by businesses and security systems alike. Emails sent through this service typically include valid SPF, DKIM, and DMARC headers, allowing them to pass most email security checks. The presence of “.amazonses.com” in Message-ID headers further enhances their credibility.
The Rising Threat of Phishing Campaigns
In early 2026, researchers from Securelist observed a notable increase in phishing campaigns abusing Amazon SES. Attackers exploit this service not because of any inherent vulnerability but due to its legitimate nature. By sending phishing emails through a reputable infrastructure, they evade reputation-based blocklists.
The most frequent tactic involves mimicking notifications from electronic signature services, such as Docusign, luring victims into clicking links that seem to direct to amazonaws.com. These links then lead to credential-harvesting pages hosted on AWS, making the deceit difficult to identify.
Business Email Compromise and Preventive Measures
Beyond credential theft, attackers also use Amazon SES for Business Email Compromise (BEC) schemes, impersonating employees to send fake invoice requests to finance departments. These emails often include PDF attachments with forged payment details, designed to look like genuine business communications.
The initial breach point for such operations is usually leaked AWS Identity and Access Management (IAM) access keys. Developers frequently expose these keys in public repositories or unsecured storage, making them easy targets for attackers using tools like TruffleHog.
Securelist advises organizations to prioritize the security of IAM access keys. Implementing the principle of least privilege, transitioning to AWS IAM roles, enabling multi-factor authentication, and conducting regular security audits can significantly mitigate risks. Additionally, users should verify unexpected emails through separate channels and scrutinize links before clicking.
Stay informed by following us on Google News, LinkedIn, and X, and set CSN as a preferred source on Google for more updates.
