Cybercriminals Exploit Amazon SES to Deliver Phishing Emails That Evade Security Filters—Urgent Alert
Breaking: Phishing Campaigns Weaponize Amazon's Email Service
Security researchers have uncovered a sharp increase in phishing attacks that exploit Amazon Simple Email Service (SES), allowing attackers to send emails that bypass standard security checks. The messages appear fully legitimate, passing SPF, DKIM, and DMARC authentication protocols, making them nearly impossible to block without disrupting legitimate mail flow.
According to a senior threat analyst at a leading cybersecurity firm, “Attackers are using Amazon SES because it is inherently trusted by email providers and users. Every email sent through the service looks technically valid, even when it contains malicious content.”
How Attackers Gain Access
Compromise typically begins with leaked AWS IAM (Identity and Access Management) access keys. These keys are often exposed in public GitHub repositories, configuration files, Docker images, or even in publicly readable S3 buckets. Automated tools like TruffleHog scan for these secrets, enabling attackers to verify permissions and sending limits before launching massive phishing campaigns.
A security engineer specializing in cloud forensics noted, “Leaked IAM keys are the primary entry point. Once an attacker has valid credentials, they can send any volume of emails that appear to come from Amazon’s trusted infrastructure.”
Background: Why Amazon SES Is a Weapon of Choice
Amazon Simple Email Service is a cloud-based platform designed for sending transactional and marketing emails. It integrates seamlessly with AWS and uses authentication protocols that make its messages appear fully legitimate. Phishing emails sent via SES include amazonses.com in the Message-ID header, and the sender IP addresses are not on any reputation blocklists.
Because blocking Amazon SES entirely would cripple business communications for major organizations, security teams face a difficult dilemma: either accept the risk or implement more granular detection rules. The attackers exploit this trust by masking phishing URLs with redirects, using links that point to amazonaws.com or other AWS domains before redirecting victims to credential-harvesting sites.
Examples: Fake Docusign Notifications
In early 2026, one of the most common themes observed is fraudulent emails impersonating electronic signature services, particularly Docusign. The phishing emails use custom HTML templates to mimic legitimate notifications, complete with official logos and branding. Technical headers confirm that the emails were sent via Amazon SES, yet the links lead to phishing pages.
A researcher who analyzed the campaign stated, “Users see a familiar domain like amazonses.com and click with confidence. The attackers have exploited that trust to create a highly effective phishing vector.”
What This Means for Organizations
Organizations must treat every email with heightened scrutiny, even those that pass all authentication checks. Security teams should monitor for unusual volumes of emails from AWS domains and implement advanced behavioral analysis to detect anomalous redirect patterns. Additionally, developers should secure IAM keys using secret management tools and avoid hardcoding credentials in source code or configuration files.
For users, the key takeaway is never to click on links in unsolicited emails, even if they appear to come from a trusted source. Understanding how attackers gain access can help individuals recognize the risk posed by leaked credentials.
The rise of this technique signals a shift in phishing strategy: away from suspicious domains and toward abusing the very infrastructure that security systems are built to trust. As one industry expert put it, “We are entering an era where ‘legitimate’ can be the most dangerous label an email can carry.”