- Report claims attackers are hijacking exposed AWS credentials to send large‑scale phishing emails via Amazon SES
- Malicious messages bypass SPF, DKIM, and DMARC checks, landing directly in inboxes
- Researchers warn the trend is growing, urging stricter IAM practices and key management
Security experts from Kaspersky have claimed the Amazon Simple Email Service (SES) is being abused to launch phishing attacks which easily bypass current defenses and expose victims to risks of credential and identity theft
The company made its claims in a new report which noted, “Specifically, we’ve recently observed an uptick in phishing attacks leveraging Amazon SES.
The attackers start by stealing exposed AWS credentials. By using TruffleHog (or similar utilities), they scan GitHub repositories, .ENV files, Docker images, backups, and publicly accessible S3 buckets at scale, looking for login credentials for Amazon Web Services.
Passing all of the checks
Once found, they analyze permissions and email distribution capabilities: “After verifying the key’s permissions and email sending limits, attackers are equipped to spread a massive volume of phishing messages,” Kaspersky said.
The messages are carefully crafted, containing custom HTML templates that imitate legitimate services, and highly realistic login flows. The themes vary, from fake DocuSign documents, to Business Email Compromise (BEC) campaigns.
Being a legitimate service itself, Amazon SES allows the attackers’ emails to clear authentication checks such as SPF, DKIM, and DMARC protocols, landing the malicious messages directly into people’s inboxes. Furthermore, blocking by IP also doesn’t work, since it would ban all emails coming from Amazon SES.
“Phishing via Amazon SES is shifting from isolated incidents into a steady trend,” Kaspersky warned. “By weaponizing this service, attackers avoid the effort of building dubious domains and mail infrastructure from scratch. Instead, they hijack existing access keys to gain the ability to blast out thousands of phishing emails.”
To mitigate the risks, Kaspersky recommends users implement the principle of least privilege when configuring IAM access. They also recommend transitioning from IAM access keys to roles when configuring AWS, and enabling multi-factor authentication.
IP-based access restrictions should be configured, as well as automated key rotation. Finally, users should use the AWS KEy Management Service to encrypt data and manage keys from a centralized location.
“AWS has clear terms that prohibit the use of our services to violate the security, integrity, or availability of others," an AWS spokesperson told TechRadar Pro.
"When we receive reports of potential violations of our terms, we act quickly to review and take appropriate action. As always, we encourage all customers to follow recommended security guidance to help secure their accounts and prevent abuse. If anyone suspects that AWS resources are being used for abusive activity, they can report it to AWS Trust & Safety."
