Bleepingcomputer
Amazon SES Phishing Attacks Bypass Email Security Measures
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
In early 2026, a surge in phishing attacks utilizing Amazon Simple Email Service (SES) has been reported, exploiting exposed AWS Identity and Access Management (IAM) access keys. Attackers leverage this trusted email infrastructure to send convincing phishing emails that pass standard security checks, including SPF, DKIM, and DMARC. The phishing emails often mimic legitimate services, such as electronic signature notifications from DocuSign, tricking users into revealing sensitive information. Researchers attribute this increase in phishing campaigns to the widespread exposure of AWS credentials found in public repositories and other accessible locations. Automated tools like TruffleHog are used by attackers to find these leaked keys, allowing them to send large volumes of phishing messages. The attacks have raised significant concerns among cybersecurity experts, as blocking the IP addresses used for these emails would disrupt legitimate communications. Recommendations for organizations include enforcing strict IAM permissions, enabling multi-factor authentication, and regularly rotating access keys.
Key Points: • Amazon SES is being exploited for phishing attacks that bypass traditional security measures. • Attackers are using leaked AWS IAM access keys found in public repositories to send phishing emails. • Phishing emails often impersonate legitimate services, increasing the risk of user deception.