Exploiting Trust: How Phishers Use Amazon SES to Evade Email Filters

Phishing attackers constantly evolve their tactics to slip past email security filters. One increasingly popular method is abusing trusted cloud services like Amazon Simple Email Service (SES). By leveraging legitimate infrastructure, scammers can send emails that appear completely authentic to both users and automated security systems. In this Q&A, we explore how Amazon SES is weaponized for phishing, the techniques attackers use, and what organizations can do to defend against this insidious threat.

What is Amazon SES and why is it attractive for phishing?

Amazon Simple Email Service (Amazon SES) is a cloud-based email platform designed for reliable delivery of transactional and marketing messages. It integrates seamlessly with the larger AWS ecosystem. For attackers, the appeal lies in its trustworthiness. Emails sent through SES pass standard authentication checks like SPF, DKIM, and DMARC because they originate from an Amazon-owned infrastructure. The Message-ID headers contain .amazonses.com, making every message appear legitimate to email providers and recipients. This trust extends to IP addresses, which are not blocklisted, and to domains that users readily click. Consequently, phishing campaigns using SES can bypass security filters that would otherwise flag suspicious senders.

Exploiting Trust: How Phishers Use Amazon SES to Evade Email Filters — Source: securelist.com

How do attackers gain access to Amazon SES?

In most cases, attackers gain access through leaked IAM (AWS Identity and Access Management) access keys. Developers often inadvertently expose these keys in public repositories on GitHub, inside ENV files, Docker images, configuration backups, or even in publicly accessible S3 buckets. Phishers use automated tools like TruffleHog, an open-source utility designed to detect secrets in code, to scan for these exposed keys. Once obtained, attackers verify the key's permissions and email sending limits, then begin sending massive volumes of phishing messages. This ease of access through leaked credentials makes Amazon SES a readily available weapon for cybercriminals.

How do phishing emails bypass email security using Amazon SES?

Emails sent via Amazon SES appear technically legitimate because they use Amazon's infrastructure, which is trusted by email providers. The emails include proper SPF, DKIM, and DMARC records, so they pass all standard checks. Phishers can also mask URLs with redirects, showing a link like amazonaws.com that users trust, while the actual destination leads to a malicious phishing site. Additionally, Amazon SES supports custom HTML templates, allowing attackers to craft convincing replicas of legitimate notifications (e.g., from DocuSign). The sender's IP address is from Amazon's own range and won't appear on reputation-based blocklists. Blocking Amazon SES entirely is impractical for major services, as it would cause massive false positives and disrupt normal workflows.

What are some examples of phishing emails sent via Amazon SES?

One common example involves fake notifications from electronic signature services like DocuSign. Attackers send an email that looks exactly like a DocuSign request, with the sender appearing as a known contact. The email's technical headers confirm it was sent via Amazon SES, and the links point to a redirected Amazon URL. Another variant uses fake account alerts from popular platforms, urging recipients to verify credentials. In early 2026, such campaigns were particularly widespread. The convincing nature of these emails, combined with the trusted infrastructure, makes it easy for victims to click and disclose sensitive information.

What makes Amazon SES phishing particularly dangerous compared to other methods?

The key danger is that attackers are not using suspicious domains or IP addresses; they are leveraging infrastructure that both security systems and users inherently trust. Unlike phishing via compromised personal servers or free email services, Amazon SES emails cannot be easily filtered based on reputation. The sender's IP is clean, the domain is Amazon's, and all authentication passes. This makes it extremely difficult for standard email security tools to distinguish between legitimate Amazon SES traffic and malicious phishing messages. Additionally, because Amazon SES is widely used by businesses for transactional emails, blocking it entirely would cause significant operational disruption. This creates a blind spot that attackers exploit effectively.

How can organizations protect against phishing via Amazon SES?

Organizations should implement email authentication policies beyond SPF, DKIM, and DMARC, such as using BIMI and domain alignment. While these don't block Amazon SES entirely, they can help identify anomalies. More importantly, deploy advanced threat detection that analyzes email content and link behavior, not just header reputation. Use URL scanning and sandboxing to check all links, even those pointing to Amazon domains. Security awareness training is crucial: teach users to hover over links, verify unexpected requests via a separate channel, and report suspicious emails. Additionally, monitor for leaked IAM keys in public repositories and rotate them regularly. For AWS customers, enable AWS CloudTrail and Amazon GuardDuty to detect unusual SES usage patterns.

What role do IAM keys play in Amazon SES phishing attacks?

IAM (Identity and Access Management) keys are the primary entry point for attackers to abuse Amazon SES. These keys grant programmatic access to AWS services, including the ability to send email through SES. When developers accidentally expose these keys in public code repositories, configuration files, or cloud storage, they effectively provide attackers with a free pass to send authenticated emails using Amazon's infrastructure. Tools like TruffleHog automate the discovery of such keys. Once obtained, attackers verify the key's permissions—specifically, whether it has ses:SendEmail or ses:SendRawEmail permissions—and check sending limits. The compromise is often silent, as the legitimate AWS account owner may not notice the leakage until after a phishing campaign has already caused damage. Proper key management, rotation, and monitoring are essential to prevent this attack vector.

Tags: