Amazon Simple Email Service is being increasingly abused to send phishing emails that can bypass standard security filters, with Kaspersky saying it has seen an uptick in attacks using the cloud email platform to deliver malicious links.
KEY FACTS
- Abuse pattern Attackers are using Amazon SES to send convincing phishing messages that pass authentication checks.
- Likely cause Exposed AWS access keys in public repositories, .ENV files, Docker images, backups and S3 buckets appear to be enabling the abuse.
- Method Bots based on TruffleHog are used to scan for leaked secrets and validate permissions.
- Impact The emails can evade SPF, DKIM and DMARC-based blocking.
In a technical analysis, Kaspersky said attackers are automating secret discovery, permission checks and email delivery to send large volumes of phishing messages. The company said the campaigns use custom HTML templates that mimic real services and realistic login flows.
The attacks observed include fake document-signing notices that imitate DocuSign and redirect victims to AWS-hosted phishing pages. The report also described more advanced business email compromise attacks that create fabricated message threads and fake invoices to pressure finance staff into making payments.
Because Amazon SES is a legitimate service, emails sent through it are more likely to pass authentication checks and can be difficult to block without affecting normal traffic. The disclosure said blocking the sending IPs is not a practical fix because it would disrupt all mail coming through the platform.
Kaspersky advised companies to limit IAM permissions under least privilege, enable multi-factor authentication, rotate keys regularly and use IP-based access restrictions and encryption controls. Amazon referred to its guidance on exposed credentials and said suspected abuse can be reported to AWS Trust & Safety.
WHY IT MATTERS
The abuse of trusted cloud email services can make phishing harder to detect and block, even when standard authentication checks are in place. That increases the risk of credential theft and payment fraud for organizations that depend on email for business operations.