Amazon SES Increasingly Abused in Phishing to Evade Detection

The recent spike in Amazon Simple Email Service (SES) abuse reflects a broader shift in how threat actors acquire and weaponize cloud credentials. Researchers at Kaspersky traced the root cause to a flood of exposed AWS Identity and Access Management (IAM) keys scattered across public GitHub repositories, .env files, Docker images, and misconfigured S3 buckets. Automated scanners such as the open‑source TruffleHog crawl these assets, validate permissions, and harvest keys that retain full email‑sending privileges. This pipeline enables attackers to launch high‑volume phishing campaigns with minimal manual effort, turning a trusted cloud service into a covert delivery channel.

Because SES is a whitelisted, reputation‑based service, the malicious messages inherit the platform’s built‑in authentication checks. Emails sent through compromised keys pass SPF, DKIM and DMARC validations, allowing them to slip past most gateway filters that rely on these protocols. Moreover, the phishing content often mimics legitimate services with custom HTML and fabricated document threads, raising the success rate of business‑email‑compromise (BEC) attempts. Traditional defenses that block offending IP addresses become impractical, as doing so would halt all legitimate SES traffic for countless enterprises.

Amazon’s response emphasizes credential hygiene: enforce least‑privilege IAM policies, enable multi‑factor authentication, rotate keys regularly, and restrict SES usage to known IP ranges. Organizations should also monitor AWS CloudTrail logs for anomalous send‑quota spikes and integrate threat‑intelligence feeds that flag compromised keys. As cloud providers continue to expand email capabilities, attackers will likely seek similar abuse vectors in other trusted services, making proactive key management and continuous monitoring essential components of a modern email‑security strategy.