Researchers report Amazon SES abused in phishing to evade detection
Researchers report Amazon SES abused in phishing to evade detection
Publish Date: 2026-05-04 16:03:28
Source Domain: www.bleepingcomputer.com
Summary
Kaspersky, a cybersecurity firm, has reported an escalating misuse of Amazon’s Simple Email Service (SES) to conduct highly convincing phishing attacks that evade typical security filters. This trend might stem from the considerable emergence of AWS Identity and Access Management (IAM) access keys accessible in public repositories, including GitHub and other platforms. The legitimacy of Amazon SES allows attackers to bypass authentication checks such as SPF, DKIM, and DMARC, making phishing emails more believable. These attackers use bots to scan for exposed keys and automate the process of validating permissions and initiating large-scale phishing campaigns. Phishing messages display advanced techniques, with fake DocuSign notifications and fake invoices for business email compromise (BEC) scams, leveraging custom HTML templates for a realistic appearance. Amazon acknowledges it promptly addresses potential misuse and encourages reporting such activity through its Trust & Safety channels. To enhance security, Kaspersky advises implementing least privilege principles, multi-factor authentication, regular key rotation, and employing encryption controls.
Key Points:
- Increasing use of Amazon SES by cybercriminals to execute sophisticated phishing attacks, leveraging leaked AWS credentials.
- High-quality phishing attacks using realistic templates and techniques like BEC to trick financial departments.
- Difficulty in stopping phishing emails via Amazon SES due to the service’s legitimate status and the impracticality of blocking all SES emails.
- Recommendation by Kaspersky for companies to boost security through better IAM practices, multi-factor authentication, and encryption.
- Amazon responds to phishing attempts through its Trust & Safety channels and promotes security best practices.
