"We've observed an uptick in phishing attacks leveraging Amazon SES," Kaspersky researchers write — and the data in their report explains how a trusted cloud email service has become an effective tool for modern phishing operations.
How attackers are abusing Amazon SES to evade defenses
Amazon Simple Email Service (SES) is a legitimate, widely trusted resource for sending bulk and transactional email. Kaspersky's report documents that attackers are using valid Amazon SES credentials to send phishing messages that pass standard authentication checks. Because the messages originate from a sanctioned platform, reputation-based blocks and measures tied to sender IP ranges are ineffective: blocking the offending IP addresses is "not an acceptable solution because it would prevent all emails coming through Amazon SES," the report notes.
The role of leaked AWS IAM access keys
Kaspersky cites a likely driver behind the recent spike: a large number of AWS Identity and Access Management (IAM) access keys exposed in public assets. These credentials surface in GitHub repositories, .ENV files, Docker images, backups, and publicly accessible S3 buckets. Attackers find those keys largely by automation — using bots built on the open-source TruffleHog utility to scan for leaked secrets — and then validate permissions and sending limits before weaponizing the keys for email distribution.
Techniques observed in the phishing campaigns
The report describes a rise in high-quality phishing that leverages the flexibility and deliverability of SES. Kaspersky observed emails delivering links that redirect to malicious sites and AWS-hosted phishing pages. Attackers use custom HTML templates and realistic login flows to mimic legitimate services; one noted example is fake document-signing notifications that imitate DocuSign. The campaigns also include more advanced business email compromise (BEC) tactics: entire fabricated email threads and false invoices designed to convince finance departments to pay.
Why email authentication and IP blocks fail
Attackers benefit from SES because it eases or eliminates common barriers to success. The report states that by sending through Amazon SES, attackers "no longer need to worry about authentication checks such as the SPF, DKIM, and DMARC protocols." At the same time, attempts to neutralize the campaigns by blocking SES IPs would disrupt legitimate SES traffic, rendering IP-based blocking impractical as a broad defense. Kaspersky also details how threat actors now chain automated steps — secret discovery, permission verification, and email sends — to scale phishing at volumes that were previously more difficult to achieve.
Recommended mitigations from Kaspersky
Kaspersky offers concrete operational controls for companies to reduce risk. The researchers recommend applying the principle of least privilege to IAM permissions, enabling multi-factor authentication (MFA), regularly rotating access keys, and implementing IP-based access restrictions and encryption controls. These steps aim to reduce the window of opportunity for attackers who find exposed credentials and to limit what a stolen key can do once discovered.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Focus on secret management — hunt for exposed keys in code repositories and storage, enforce rotation and MFA, and apply least-privilege policies so a leaked key cannot be used to send or scale phishing campaigns unchecked.
- Procurement and IT asset owners: Treat infrastructure-as-code and artifacts (images, .ENV files, backups) as sensitive assets. The report links public exposure of these artifacts directly to the rise in SES abuse, so procurement processes should include controls to prevent accidental publication of credentials.
- End users and finance teams: Be alert to messages that mimic trusted services and to fabricated email threads or invoices; Kaspersky shows attackers are investing in realistic templates and flows to deceive recipients, including finance departments targeted for fraudulent payments.
Kaspersky's findings make a clear operational point: the abuse is less about flaws in Amazon SES itself and more about exposed credentials and how easily attackers can monetize them. The recommended defensive measures are practical and narrowly targeted — least-privilege IAM, MFA, key rotation, IP restrictions, and encryption. Whether organizations implement those steps at scale will determine how effectively SES can be kept a trusted channel rather than a launchpad for convincing phishing.
