"The primary goal for attackers in a phishing campaign is to bypass email security and trick the potential victim into revealing their data," wrote Securelist in a recent analysis of how threat actors are abusing Amazon's Simple Email Service.
Why Amazon SES lets phishing look "legitimate"
Securelist documents a strategic shift: attackers are weaponizing Amazon Simple Email Service (Amazon SES) to make malicious messages indistinguishable from legitimate mail. Because Amazon SES integrates with Amazon Web Services (AWS) and supports SPF, DKIM, and DMARC, phishing messages sent through the platform commonly pass standard provider authentication checks. They typically include .amazonses.com in Message-ID headers, and originate from IP addresses that will not end up on reputation-based blocklists.
The result is an email that, from a technical standpoint, "looks completely legitimate." That legitimacy can lull both automated security controls and human recipients into a false sense of safety — particularly when links or form hosts display amazonaws.com or when attackers use Amazon SES custom HTML templates to mimic trusted services.
How attackers acquire and leverage AWS credentials
According to the report, most abusive access to Amazon SES begins with leaked IAM (AWS Identity and Access Management) access keys. Developers sometimes leave those keys exposed in public GitHub repositories, ENV files, Docker images, configuration backups, or publicly accessible S3 buckets. Attackers use automated tools — including bots built on the open-source utility TruffleHog — to hunt for and harvest these secrets.
Once attackers verify a key's permissions and sending limits, they can send massive volumes of email without needing to create dubious domains or build their own mail infrastructure. That operational convenience is the core advantage: attackers reuse trusted cloud infrastructure to evade detection and rejection.
Observed campaigns in early 2026: DocuSign-style phishing and BEC invoices
Securelist details two recurring patterns witnessed in early 2026. The most common theme was phishing messages masquerading as electronic signature notifications — for example, emails imitating a Docusign notification that include Message-ID headers showing Amazon SES delivery. Victims who click links in these messages are often directed to sign-in forms hosted on amazonaws.com; those forms are, in the report's words, "of course, a phishing page," and any data entered is captured by attackers.
Beyond standard credential-phishing, Securelist highlights a sophisticated category of business email compromise (BEC) that uses Amazon SES as the delivery vehicle. In one investigated case, an email supposedly from an employee to a company's finance department included a fabricated forwarded thread and a PDF with payment instructions and supporting documents. No malicious URLs were present; the attack relied on a forged conversation and realistic-looking financial documents to induce an urgent wire transfer.
Mitigations Securelist recommends for AWS and email safety
- Implement the principle of least privilege for IAM access keys, granting elevated permissions only when strictly required.
- Transition from IAM access keys to roles where possible, using profiles with specific permissions rather than long-lived keys.
- Enable multi-factor authentication on relevant accounts.
- Configure IP-based access restrictions and set up automated key rotation along with regular security audits.
- Use the AWS Key Management Service to encrypt data with unique cryptographic keys and manage them centrally.
- On the email side, the report advises that users should not determine an email's safety solely by the From field, should verify unexpected document requests through a separate channel, and should carefully inspect actual link destinations. Robust email security solutions are recommended for additional protection.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Prioritize discovery and remediation of exposed IAM keys, enforce least-privilege policies, and adopt roles and automated rotation to reduce the attack surface. Securelist's findings underline that credential hygiene directly affects email security.
- Procurement and procurement leaders at affected enterprises: Expect that blocking delivery domains like amazonaws.com is impractical because doing so would interrupt legitimate workflows. Instead, focus on contractual and operational controls that require vendors and developers to follow key-management best practices.
- End users and general public: Treat unexpected document requests with skepticism; verify via alternative channels before acting. Be aware that links and sign-in pages hosted on amazonaws.com can still be fraudulent when delivered through abused SES credentials.
Securelist concludes that "phishing via Amazon SES is shifting from isolated incidents into a steady trend." The core takeaway is straightforward and urgent: because these attacks exploit compromised or leaked AWS credentials, protecting IAM keys and moving to ephemeral, role-based access models are central to reclaiming trust in email originating from legitimate cloud infrastructure.
