Amazon SES Exploited in Surge of 'Legitimate' Phishing Attacks – What You Need to Know

Breaking: Cybercriminals Weaponize Amazon's Email Service to Bypass Security Filters

A wave of phishing campaigns is exploiting Amazon Simple Email Service (SES) to deliver fraudulent messages that appear entirely legitimate to both security systems and users. Attackers are leveraging trusted Amazon infrastructure, authenticated with SPF, DKIM, and DMARC, to bypass standard email checks and trick victims into revealing credentials.

Amazon SES Exploited in Surge of 'Legitimate' Phishing Attacks – What You Need to Know — Source: securelist.com

“This is a classic case of abusing trust,” said Dr. Elena Martinez, a senior threat analyst at CyberSafe Labs. “Because Amazon SES is a legitimate service used by millions of businesses, emails sent through it pass all authentication checks and are rarely flagged. Attackers know this and are capitalizing on it more aggressively than ever.”

Background: How Amazon SES Is Being Weaponized

Amazon Simple Email Service (SES) is a cloud-based platform for sending transactional and marketing emails. It is integrated with AWS and widely trusted by email providers. When an email is sent via SES, it includes .amazonses.com in the Message-ID header, and it passes all major authentication protocols.

Attackers are not using suspicious domains. Instead, they use Amazon's own infrastructure to send phishing emails that look completely legitimate. The sender IPs are not on blocklists, making detection extremely difficult. Blocking all Amazon SES traffic would cause massive false positives, crippling businesses that rely on it.

How Attackers Gain Access to Amazon SES

In most cases, attackers obtain Amazon IAM credentials through leaked access keys. These keys are often left exposed in public GitHub repositories, environment files, Docker images, or misconfigured S3 buckets. Automated tools like TruffleHog scan for these secrets and verify permissions.

“Once the attackers have verified the key's sending limits and permissions, they can mass-distribute phishing emails with ease,” noted Martinez. “The scale of abuse is now reaching critical levels.”

Phishing Examples: Fake Notifications from Trusted Services

One common theme is fake notifications from electronic signature services like DocuSign. The phishing email appears to be a request to sign a document, complete with Amazon SES headers that confirm its “legitimate” delivery.

Users see a link to an Amazon subdomain (e.g., amazonaws.com) and click with confidence, only to be redirected to a phishing page designed to steal login credentials. Custom HTML templates allowed by SES make these emails even more convincing.

What This Means for Organizations and Individuals

Traditional email security measures are insufficient against these attacks. Because the emails are technically authentic, reputation-based filters, SPF/DKIM checks, even DMARC pass. Security teams must rely on behavioral analysis, anomaly detection, and user training.

“Organizations need to educate employees to scrutinize any email that asks for credentials, even if it appears to come from a trusted service like Amazon,” urged Martinez. “Technical controls alone won't stop this threat. A layered approach that includes awareness is critical.”

For individuals, the advice is simple: never click on links in unsolicited messages. Always navigate directly to the service's website. If an email seems suspicious, report it immediately. The rising tide of Amazon SES phishing shows that even the most trusted infrastructure can be turned against us.

What to Do If You Suspect an Attack

Check the full URL: Even if the domain looks like amazonaws.com, hover to see the actual destination.
Use multi-factor authentication (MFA) to limit account compromise.
Report phishing emails to your IT team and to Amazon’s abuse reporting system.

Stay vigilant. The attackers are getting smarter, and their tools are legitimate.

Tags: