Amazon SES Exploited in Sophisticated Phishing Campaign – Security Experts Warn of Trusted Infrastructure Abuse
Breaking: Cybercriminals Weaponize Amazon SES to Evade Email Security Filters
Attackers have turned to Amazon Simple Email Service (SES) as a trusted delivery channel for phishing emails, bypassing standard security protocols and fooling both users and automated defenses. Security researchers report a sharp uptick in campaigns using this legitimate AWS infrastructure.
"These emails pass SPF, DKIM, and DMARC checks because they originate from Amazon's trusted servers," said Dr. Elena Torres, a cybersecurity analyst at PhishGuard Labs. "From a technical standpoint, they look completely legitimate."
Scammers exploit the high trust placed in Amazon's infrastructure. Emails carry the .amazonses.com domain in their Message-ID headers, making them indistinguishable from legitimate transactional messages. "The sender's IP address is never blacklisted; it's Amazon's own," added Mark Chen, CTO of SecureMail Inc.
Background: How Amazon SES Is Being Abused
Amazon SES is a cloud-based email platform designed for reliable delivery of transactional and marketing messages. It integrates deeply with AWS. Attackers weaponize its reputation to bypass security.
"The biggest danger is that users see an 'amazonaws.com' link and click without hesitation," Torres noted. "What they don't realize is that Amazon SES allows custom HTML templates and URL redirects – perfect tools for crafting convincing phishing emails."
Access to Amazon SES is typically gained through leaked IAM keys. Developers often expose these keys in public GitHub repositories, Docker images, configuration backups, or publicly accessible S3 buckets. "Attackers run automated scanners like TruffleHog to find these secrets at scale," Chen explained.
Once attackers verify key permissions and sending limits, they can flood inboxes. A phishing email disguised as a DocuSign notification was widely observed in early 2026. The email's technical headers confirmed it originated from Amazon SES, yet it redirected users to a malicious site via a legitimate-looking URL.
What This Means for Organizations and Users
This attack undermines traditional email security that relies on domain authentication and IP reputation. Blocking Amazon SES entirely is not feasible for major providers due to massive false positives.
"Organizations must move beyond signature-based detection," Torres urged. "Behavioral analysis – spotting unusual login requests or link destinations – is now essential." Users should be trained to verify unexpected requests even when they appear to come from trusted sources.
- Immediate actions: Enable multi-factor authentication on all AWS accounts and IAM users.
- Audit IAM keys regularly – remove unused or overly permissive keys.
- Deploy continuous scanning of code repositories for exposed secrets (e.g., using tools like TruffleHog integrated into CI/CD).
- Educate employees to hover over links and check for redirect patterns even on trusted domains.
"This is a wake-up call," Chen concluded. "Cybercriminals are now using the cloud's own trust against us. Zero-trust principles must apply to email, too."
Major email providers are working on advanced anomaly detection to filter such attacks while maintaining legitimate mail flow. Until then, vigilance remains the best defense.