Researchers report Amazon SES abused in phishing to evade detection

Summary

Kaspersky researchers have documented a significant uptick in phishing attacks leveraging Amazon's Simple Email Service (SES) to bypass email authentication checks and security filters. The abuse is driven by exposed AWS Identity and Access Management (IAM) access keys found in public repositories, Docker images, and S3 buckets, which threat actors locate and exploit using automated tools like TruffleHog. Attackers abuse SES to send high-quality phishing emails impersonating services like DocuSign and conduct business email compromise (BEC) attacks, as SES's trusted reputation allows them to evade traditional blocking mechanisms.

Full text

Researchers report Amazon SES abused in phishing to evade detection By Bill Toulas May 4, 2026 04:03 PM 0 Cybersecurity firm Kaspersky reports that the Amazon Simple Email Service (SES) is being increasingly abused to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective. Although the resource has been leveraged for malicious activity in the past, Kaspersky says the current spike may be due to a large number of AWS Identity and Access Management access keys exposed in public assets. Because it is a legitimate, trusted resource, phishing operations can leverage Amazon SES to send out malicious emails that pass authentication checks. Kaspersky researchers note in a report today that they've “observed an uptick in phishing attacks leveraging Amazon SES” to deliver links that redirect to a malicious site. Headers on phishing emailSource: Kaspersky The researchers believe the main driver of this abuse is the increasing exposure of AWS credentials in GitHub repositories, .ENV files, Docker images, backups, and publicly accessible S3 buckets. Finding the access keys is typically done in an automated way using bots built on the open-source TruffleHog utility, which is designed to scan for leaked secrets. Threat actors now rely on automated attacks that streamline secret scanning, permission validation, and email distribution, enabling unprecedented levels of abuse. “After verifying the key’s permissions and email sending limits, attackers are equipped to spread a massive volume of phishing messages,” Kaspersky explains. Based on their findings, the researchers say that the phishing quality is high, featuring custom HTML templates that mimic real services and realistic login flows. The observed attacks include fake document-signing notifications that imitate DocuSign to lead victims to AWS-hosted phishing pages, as well as more advanced business email compromise (BEC) attacks. Attackers fabricate entire email threads to make the phishing messages appear more convincing and send fake invoices to trick finance departments into making payments. Fabricated documents supporting the BEC attacksSource: Kaspersky By leveraging Amazon SES, attackers no longer need to worry about authentication checks such as the SPF, DKIM, and DMARC protocols. Additionally, blocking the offending IP addresses that deliver the phishing emails is not an acceptable solution because it would prevent all emails coming through Amazon SES. Threat actors are no focusing on Amazon SES alone. They are constantly trying to find ways to abuse other legitimate email systems to push phishing messages. Kaspersky recommends that companies restrict IAM permissions based on the “least privilege” principles, enable multi-factor authentication, regularly rotate keys, and apply IP-based access restrictions and encryption controls. In a statement for BleepingComputer, Amazon pointed to its security guidance on exposed credentials and protect against unauthorized access to accounts. The company also stated that it is quick to react on reports of potential terms of service violations and take appropriate action. "If anyone suspects that AWS resources are being used for abusive activity, they can report it to AWS Trust & Safety," an AWS Spokesperson told BleepingComputer. Update [May 4th, 16:59 EST]: Article updated with information from an Amazon statement received after publishing time. Update [May 5th, 11:50 EST]: Added an update and corrected the lede to reflect that the abuse increase is based on Kaspersky telemetry data and is not a general trend. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: Telegram Mini Apps abused for crypto scams, Android malware deliveryConsentFix v3 attacks target Azure with automated OAuth abuseNew Bluekit phishing service includes an AI assistant, 40 templatesFBI links cybercriminals to sharp surge in cargo theft attacksRobinhood account creation flaw abused to send phishing emails

Indicators of Compromise

• malware — TruffleHog

Entities