Critical Amazon SES Vulnerability Lets Attackers Send Authenticated Phishing Emails
Key Takeaways Threat actors are increasingly leveraging Amazon Simple Email Service (SES) to dispatch sophisticated phishing and Business Email Compromise (BEC) campaigns. These malicious emails...
Key Takeaways
- Threat actors are increasingly leveraging Amazon Simple Email Service (SES) to dispatch sophisticated phishing and Business Email Compromise (BEC) campaigns.
- These malicious emails possess legitimate authentication headers (SPF, DKIM, DMARC) and originate from trusted Amazon infrastructure, allowing them to bypass conventional email security defenses.
- The campaigns exploit leaked AWS Identity and Access Management (IAM) access keys, often found in public repositories, to gain unauthorized access to legitimate SES accounts.
- The primary lures include fake electronic signature requests (e.g., Docusign) leading to credential harvesting, and fraudulent invoice threads in BEC attacks.
- Organizations must prioritize IAM key security, implement least privilege, and transition to IAM roles, while users should exercise extreme caution with unexpected emails and verify requests out-of-band.
Attackers Exploit Amazon SES to Deliver Authenticated Phishing and BEC Campaigns
Cybercriminals are increasingly weaponizing Amazon’s cloud email infrastructure, specifically Amazon Simple Email Service (SES), to launch highly convincing phishing and Business Email Compromise (BEC) attacks. These malicious emails circumvent standard security protocols by appearing entirely legitimate, complete with valid authentication headers, making them exceptionally difficult for automated systems and human recipients to detect.
Table Of Content
The evolution of phishing tactics has seen attackers shift from creating their own suspicious infrastructure to compromising and abusing trusted, established services. This strategy capitalizes on the inherent credibility of platforms like Amazon SES, a widely adopted cloud-based service integral to the AWS ecosystem, used globally by businesses for transactional and marketing communications.
The Deceptive Power of Legitimate Infrastructure
Emails dispatched via Amazon SES inherently carry valid Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) authentication, ensuring they pass critical technical checks performed by most email security gateways. Furthermore, the presence of “.amazonses.com” within Message-ID headers reinforces their apparent authenticity. From a purely technical standpoint, these fraudulent messages are indistinguishable from genuine business communications, a characteristic that makes their abuse particularly dangerous.
Researchers at Securelist observed a significant surge in Amazon SES-abusing phishing campaigns in early 2026. Their analysis revealed that attackers are not exploiting a traditional vulnerability within SES itself, but rather leveraging its legitimacy. By routing phishing emails through this trusted infrastructure, threat actors effectively bypass reputation-based blacklists. Blocking the sending IP addresses is not a viable mitigation, as it would inadvertently block legitimate emails from countless organizations using Amazon SES, leading to an unmanageable volume of false positives.
Common Attack Vectors: Credential Theft and BEC
A prevalent tactic identified in early 2026 involved fake notifications from electronic signature services. Victims received emails impersonating platforms like Docusign, prompting them to click a link to review and sign a document. The embedded link often displayed a seemingly safe domain, such as amazonaws.com, before redirecting victims to credential-harvesting forms also hosted on AWS infrastructure, further enhancing the illusion of legitimacy.
Beyond credential theft, attackers are also utilizing Amazon SES for sophisticated Business Email Compromise (BEC) schemes. In these campaigns, threat actors impersonate employees and engage finance departments with fabricated invoice threads, urgently requesting wire transfers. Intriguingly, the PDF attachments in these BEC emails frequently contained no malicious URLs or QR codes; instead, they presented forged payment details and supporting documents meticulously crafted to mimic legitimate business exchanges.
How Attackers Gain Access
The initial compromise enabling these campaigns almost exclusively stems from leaked AWS Identity and Access Management (IAM) access keys. Developers frequently expose these sensitive credentials by embedding them in public GitHub repositories, environment configuration files, Docker images, or unsecured S3 buckets. Attackers employ automated scanning tools, including bots built on open-source utilities like TruffleHog, specifically designed to scour public code repositories for exposed secrets.
Upon discovering a valid key, attackers verify its associated sending permissions and email limits before initiating large-scale phishing operations. This approach leverages an organization’s legitimate SES account, ensuring the sending IP maintains a clean reputation and emails arrive with all authentication stamps intact. This makes detection at the email gateway level exceptionally challenging, as the emails technically adhere to all security protocols.
What You Should Do
- Prioritize IAM Access Key Security: Treat AWS IAM access keys as highly sensitive credentials. Implement robust secret management practices and avoid hardcoding keys in code or configuration files.
- Implement Least Privilege: Configure IAM policies to grant only the minimum permissions necessary for specific tasks. This limits the potential damage if a key is compromised.
- Transition to IAM Roles: Where possible, move away from static IAM access keys to AWS IAM roles, which provide temporary, scoped permissions and are a more secure alternative.
- Enable Multi-Factor Authentication (MFA): Enforce MFA for all AWS console access and for any IAM users with programmatic access keys.
- Configure IP-Based Access Restrictions: Restrict IAM key usage to specific IP ranges where appropriate, adding an extra layer of security.
- Automate Key Rotation: Regularly rotate IAM access keys to minimize the window of opportunity for attackers to exploit compromised credentials.
- Conduct Regular Security Audits: Periodically audit AWS environments for exposed secrets and misconfigured IAM policies.
- Educate Users on Phishing Tactics: Train employees to be wary of unexpected emails, especially those requesting urgent actions or document reviews. Emphasize that sender names and domains can be spoofed.
- Verify Unexpected Requests Out-of-Band: Instruct users to verify any suspicious or unexpected requests (e.g., payment changes, document signings) through a separate, trusted communication channel (e.g., a phone call to a known number, not replying to the email).
- Inspect Links Carefully: Advise users to hover over links to inspect the destination URL before clicking, paying close attention to any redirects or subtle misspellings, even if the initial domain appears legitimate.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.