Phishing campaigns and BEC attacks through Amazon SES | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Introduction The dangers of Amazon SES abuse How compromise happens Examples of phishing with Amazon SES Amazon SES and BEC Takeaways Authors Roman Dedenok Introduction The primary goal for attackers in a phishing campaign is to bypass email security and trick the potential victim into revealing their data.
To achieve this, scammers employ a wide range of tactics, from redirect links to QR codes. Additionally, they heavily rely on legitimate sources for malicious email campaigns. Specifically, we’ve recently observed an uptick in phishing attacks leveraging Amazon SES. The dangers of Amazon SES abuse Amazon Simple Email Service (Amazon SES) is a cloud-based email platform designed for highly reliable transactional and marketing message delivery.
It integrates seamlessly with other products in Amazon’s cloud ecosystem, AWS. At first glance, it might seem like just another delivery channel for email phishing, but that isn’t the case. The insidious nature of Amazon SES attacks lies in the fact that attackers aren’t using suspicious or dangerous domains; instead, they are leveraging infrastructure that both users and security systems have grown to trust.
These emails utilize SPF, DKIM, and DMARC authentication protocols, passing all standard provider checks, and almost always contain .amazonses.com in the Message-ID headers. Consequently, from a technical standpoint, every email sent via Amazon SES – even a phishing one – looks completely legitimate. Phishing URLs can be masked with redirects: a user sees a link like amazonaws.com in the email and clicks it with confidence, only to be sent to a phishing site rather than a legitimate one.
Amazon SES also allows for custom HTML templates, which attackers use to craft more convincing emails. Because this is legitimate infrastructure, the sender’s IP address won’t end up on reputation-based blocklists. Blocking it would restrict all incoming mail sent through Amazon SES. For major services, that kind of measure is ineffective, as it would significantly disrupt user workflows due to a massive number of false positives.
How compromise happens In most cases, attackers gain access to Amazon SES through leaked IAM (AWS Identity and Access Management) access keys. Developers frequently leave these keys exposed in public GitHub repositories, ENV files, Docker images, configuration backups, or even in publicly accessible S3 buckets. To hunt for these IAM keys, phishers use various tools, such as automated bots based on the open-source utility TruffleHog, which is designed for detecting leaked secrets.
After verifying the key’s permissions and email sending limits, attackers are equipped to spread a massive volume of phishing messages. Examples of phishing with Amazon SES In early 2026, one of the most common themes in phishing emails sent with Amazon SES was fake notifications from electronic signature services. Phishing email imitating a Docusign notification The email’s technical headers confirm that it was sent with Amazon SES.
At first glance, it all looks legitimate enough. Phishing email headers In these emails, the victim is typically asked to click a link to review and sign a specific document. Phishing email with a “document” Upon clicking the link, the user is directed to a sign-in form hosted on amazonaws.com . This can easily mislead the victim, convincing them that what they’re doing is safe. Phishing sign-in form The resulting form is, of course, a phishing page, and any data entered into it goes directly to the attackers.
Amazon SES and BEC However, Amazon SES is used for more than just standard phishing; it’s also a vehicle for a very sophisticated type of BEC campaigns. In one case we investigated, a fraudulent email appeared to contain a series of messages exchanged between an employee of the target organization and a service provider about an outstanding invoice. The email was sent as if from that employee to the company’s finance department, requesting urgent payment.
BEC email featuring a fake conversation between an employee and a vendor The PDF attachments didn’t contain any malicious phishing URLs or QR codes, only payment details and supporting documentation. Forged financial documents Naturally, the email didn’t originate with the employee, but with an attacker impersonating them. The entire thread quoted within the email was actually fabricated, with the messages formatted to appear as a legitimate forwarded thread to a cursory glance.
This type of attack aims to lower the user’s guard and trick them into transferring funds to the scammers’ account. Takeaways Phishing via Amazon SES experienced an uptick in January 2026 and has remained relatively steady through Q1. By weaponizing this service, attackers avoid the effort of building dubious domains and mail infrastructure from scratch. Instead, they hijack existing access keys to gain the ability to blast out thousands of phishing emails.
These messages pass email authentication, originate from IP addresses that are unlikely to be blocklisted, and contain links to phishing forms that look entirely legitimate. Since these Amazon SES phishing attacks stem from compromised or leaked AWS credentials, prioritizing the security of these accounts is critical. To mitigate these risks, we recommend following these guidelines: Implement the principle of least privilege when configuring IAM access keys, granting elevated permissions only to users who require them for specific tasks.
Transition from IAM access keys to roles when configuring AWS; these are profiles with specific permissions that can be assigned to one or several users. Enable multi-factor authentication, an ever-relevant step. Configure IP-based access restrictions. Set up automated key rotation and run regular security audits. Use the AWS Key Management Service to encrypt data with unique cryptographic keys and manage them from a centralized location.
We recommend that users remain vigilant when handling email. Do not determine whether an email is safe based solely on the From field. If you receive unexpected documents via email, a prudent precaution is to verify the request with the sender through a different communication channel. Always carefully inspect where links in the body of an email actually lead. Additionally, robust email security solutions can provide an essential layer of protection for both corporate correspondence.
Amazon Spear phishing Phishing Fraud Data Protection Money theft Credentials theft Data theft HTML QR-codes Scam “Legitimate” phishing: how attackers weaponize Amazon SES to bypass email security Your email address will not be published. Required fields are marked * Name Captcha validation failed. Please confirm you are not a robot and try again. Cancel This site uses Akismet to reduce spam. Learn how your comment data is processed.
GReAT webinars From the same authors In the same category Latest Posts Latest Webinars Reports Kaspersky researchers analyze a range of new PebbleDash-based tools used in recent Kimsuky campaigns and reveal their connection to the AppleSeed malware cluster. Kaspersky researchers uncovered malicious wheel packages in PyPI that targeted both Windows and Linux and contained a dropper delivering malware dubbed ZiChatBot.
We attribute this activity to OceanLotus APT. The Silver Fox group is targeting companies in Russia and India by impersonating tax authorities to distribute ValleyRAT and the new ABCDoor backdoor. Kaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka Mustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.
The hottest research right in your inbox Email (Required) (Required) I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above. Threats Threats APT (Targeted attacks) All threats Categories Categories Malware descriptions Security Bulletin Security technologies All categories Other sections KSB 2025 Kaspersky ICS CERT © 2026 AO Kaspersky Lab.
All Rights Reserved. Registered trademarks and service marks are the property of their respective owners. Privacy Policy Terms of use License Agreement Cookies