Back

Amazon SES Exploited for Phishing Attacks Bypassing Security Filters

Severity: High (Score: 67.5)

Sources: Securelist, www.kaspersky.com, Bleepingcomputer

Summary

In 2026, a surge in phishing attacks utilizing Amazon Simple Email Service (SES) has been reported, exploiting the service's trusted reputation to bypass email security measures. Attackers are leveraging exposed AWS Identity and Access Management (IAM) access keys found in public repositories, enabling them to send legitimate-looking phishing emails that pass authentication checks. These emails often contain links that redirect to malicious sites, with a notable trend in imitating document-signing notifications from services like DocuSign. The phishing campaigns are characterized by high-quality custom HTML templates that mimic real services, increasing their effectiveness. Security researchers have identified that automated tools, such as TruffleHog, are used to scan for these leaked keys, facilitating large-scale phishing operations. The impact is significant as blocking the IP addresses used for sending these emails is impractical, as it would disrupt legitimate communications. Recommendations for organizations include restricting IAM permissions and enabling multi-factor authentication to mitigate risks. Key Points: • Amazon SES is being exploited for phishing attacks that evade detection. • Attackers use leaked AWS IAM keys from public repositories to send phishing emails. • Phishing emails often mimic legitimate services, increasing their effectiveness.

Key Entities

  • Malware (attack_type)
  • Phishing (attack_type)
  • Ransomware (attack_type)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • CWE-798 - Use of Hard-coded Credentials (cwe)
  • amazonaws.com (domain)
  • amazonses.com (domain)
  • T1486 - Data Encrypted for Impact (mitre_attack)
  • T1566.001 - Spearphishing Attachment (mitre_attack)
  • T1566.002 - Spearphishing Link (mitre_attack)
  • T1566 - Phishing (mitre_attack)
  • Amazon S3 (platform)
  • Amazon Simple Email Service (platform)
  • Exchange Online (platform)
  • GitHub (platform)
  • Microsoft Exchange Server (platform)
  • Amazon SES (tool)
  • Docker (tool)
  • Docusign (tool)
  • Microsoft Office 365 (tool)
  • OneDrive (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed