Amazon SES Abused in Sophisticated Phishing Campaigns: Security Experts Warn of 'Legitimate' Attack Vectors

Breaking: Phishers Exploit Amazon SES to Bypass Email Security

Attackers are increasingly weaponizing Amazon Simple Email Service (SES) to launch phishing campaigns that appear entirely legitimate to both users and security systems. Researchers report a sharp uptick in these attacks, which leverage trusted infrastructure to bypass authentication checks.

“These emails pass SPF, DKIM, and DMARC verification because they are sent through a reputable provider,” explains Dr. Elena Martinez, a cybersecurity analyst at Axon Cyber. “The danger is that they look completely authentic to email filters and recipients alike.”

How the Attack Works

Amazon SES is a cloud-based email service designed for high-reliability delivery. Attackers use leaked AWS IAM access keys—often found in public GitHub repositories or exposed S3 buckets—to gain control of SES accounts. Once inside, they send phishing emails that include amazonaws.com in links, leveraging redirects to mask malicious destinations.

Because the emails originate from Amazon’s IP addresses, they avoid reputation-based blocklists. Blocking SES would disrupt millions of legitimate messages, making that defense impractical.

Real-World Examples

One common tactic is impersonating electronic signature services like DocuSign. In a recent campaign, phishing emails carried official-looking Amazon SES headers and redirect links to spoofed login pages. “Users see a familiar domain and click without hesitation,” notes Martinez.

Background: The Rise of Infrastructure-Based Phishing

Phishing has evolved from crude spoofed domains to sophisticated attacks using trusted cloud services. Amazon SES joins Google Firebase, SendGrid, and others as platforms hijacked by cybercriminals. The key enabler is leaked IAM keys, which automated tools like TruffleHog help uncover.

“Developers often leave credentials in code repositories or environment files,” says John Whitmore, a penetration tester at SecureLabs. “Once those keys are exposed, attackers can send unlimited emails under a legitimate umbrella.”

What This Means for Businesses and Users

Organizations must treat all emails with caution, even those from trusted domains. Traditional email security measures are rendered ineffective against these attacks. “We need to shift focus to user education and behavior monitoring,” urges Martinez.

Security teams should implement anomaly detection for SES usage, monitor for unexpected spikes in outbound email volume, and enforce strict IAM key rotation policies. For individuals, never click on links in unsolicited emails, even if they appear to come from Amazon or DocuSign.

“This is a wake-up call,” Whitmore concludes. “The trust model in email is broken, and attackers are using our own tools against us.”