Back

Amazon SES Phishing Attacks Bypass Email Security Measures

Severity: High (Score: 69.5)

Sources: Bleepingcomputer, www.kaspersky.com, Gbhackers, Cybersecuritynews, Securelist

Summary

In early 2026, a surge in phishing attacks utilizing Amazon Simple Email Service (SES) has been reported, exploiting exposed AWS Identity and Access Management (IAM) access keys. Attackers leverage this trusted email infrastructure to send convincing phishing emails that pass standard security checks, including SPF, DKIM, and DMARC. The phishing emails often mimic legitimate services, such as electronic signature notifications from DocuSign, tricking users into revealing sensitive information. Researchers attribute this increase in phishing campaigns to the widespread exposure of AWS credentials found in public repositories and other accessible locations. Automated tools like TruffleHog are used by attackers to find these leaked keys, allowing them to send large volumes of phishing messages. The attacks have raised significant concerns among cybersecurity experts, as blocking the IP addresses used for these emails would disrupt legitimate communications. Recommendations for organizations include enforcing strict IAM permissions, enabling multi-factor authentication, and regularly rotating access keys. Key Points: • Amazon SES is being exploited for phishing attacks that bypass traditional security measures. • Attackers are using leaked AWS IAM access keys found in public repositories to send phishing emails. • Phishing emails often impersonate legitimate services, increasing the risk of user deception.

Key Entities

  • Malware (attack_type)
  • Phishing (attack_type)
  • Ransomware (attack_type)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • CWE-798 - Use of Hard-coded Credentials (cwe)
  • amazonaws.com (domain)
  • amazonses.com (domain)
  • T1486 - Data Encrypted for Impact (mitre_attack)
  • T1566.001 - Spearphishing Attachment (mitre_attack)
  • T1566.002 - Spearphishing Link (mitre_attack)
  • T1566 - Phishing (mitre_attack)
  • Amazon S3 (platform)
  • Amazon Simple Email Service (platform)
  • Exchange Online (platform)
  • GitHub (platform)
  • Microsoft Exchange Server (platform)
  • Amazon SES (tool)
  • Docker (tool)
  • Docusign (tool)
  • Microsoft Office 365 (tool)
  • OneDrive (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed