{"id":2867,"date":"2026-05-04T10:04:05","date_gmt":"2026-05-04T10:04:05","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/04\/legitimate-phishing-how-attackers-weaponize-amazon-ses-to-bypass-email-security\/"},"modified":"2026-05-04T10:04:05","modified_gmt":"2026-05-04T10:04:05","slug":"legitimate-phishing-how-attackers-weaponize-amazon-ses-to-bypass-email-security","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/04\/legitimate-phishing-how-attackers-weaponize-amazon-ses-to-bypass-email-security\/","title":{"rendered":"\u201cLegitimate\u201d phishing: how attackers weaponize Amazon SES to bypass email security"},"content":{"rendered":"
\n

\"\"<\/p>\n

Introduction<\/h2>\n

The primary goal for attackers in a phishing campaign is to bypass email security and trick the potential victim into revealing their data. To achieve this, scammers employ a wide range of tactics, from redirect links to QR codes. Additionally, they heavily rely on legitimate sources<\/a> for malicious email campaigns. Specifically, we\u2019ve recently observed an uptick in phishing attacks leveraging Amazon SES.<\/p>\n

The dangers of Amazon SES abuse<\/h2>\n

Amazon Simple Email Service (Amazon SES) is a cloud-based email platform designed for highly reliable transactional and marketing message delivery. It integrates seamlessly with other products in Amazon\u2019s cloud ecosystem, AWS.<\/p>\n

At first glance, it might seem like just another delivery channel for email phishing, but that isn\u2019t the case. The insidious nature of Amazon SES attacks lies in the fact that attackers aren\u2019t using suspicious or dangerous domains; instead, they are leveraging infrastructure that both users and security systems have grown to trust. These emails utilize SPF, DKIM, and DMARC authentication protocols, passing all standard provider checks, and almost always contain .amazonses.com<\/code> in the Message-ID headers. Consequently, from a technical standpoint, every email sent via Amazon SES\u00a0\u2013 even a phishing one\u00a0\u2013 looks completely legitimate.<\/p>\n

Phishing URLs can be masked with redirects: a user sees a link like amazonaws.com<\/code> in the email and clicks it with confidence, only to be sent to a phishing site rather than a legitimate one. Amazon SES also allows for custom HTML templates, which attackers use to craft more convincing emails. Because this is legitimate infrastructure, the sender\u2019s IP address won\u2019t end up on reputation-based blocklists. Blocking it would restrict all incoming mail sent through Amazon SES. For major services, that kind of measure is ineffective, as it would significantly disrupt user workflows due to a massive number of false positives.<\/p>\n

How compromise happens<\/h2>\n

In most cases, attackers gain access to Amazon SES through leaked IAM (AWS Identity and Access Management) access keys. Developers frequently leave these keys exposed in public GitHub repositories, ENV files, Docker images, configuration backups, or even in publicly accessible S3 buckets. To hunt for these IAM keys, phishers use various tools, such as automated bots based on the open-source utility TruffleHog, which is designed for detecting leaked secrets. After verifying the key\u2019s permissions and email sending limits, attackers are equipped to spread a massive volume of phishing messages.<\/p>\n

Examples of phishing with Amazon SES<\/h2>\n

In early 2026, one of the most common themes in phishing emails sent with Amazon SES was fake notifications from electronic signature services.<\/p>\n

\"Phishing<\/a><\/p>\n

Phishing email imitating a Docusign notification<\/p>\n<\/div>\n

The email\u2019s technical headers confirm that it was sent with Amazon SES. At first glance, it all looks legitimate enough.<\/p>\n

\"Phishing<\/a><\/p>\n

Phishing email headers<\/p>\n<\/div>\n

In these emails, the victim is typically asked to click a link to review and sign a specific document.<\/p>\n

Phishing email with a \"document\"<\/a><\/p>\n

Phishing email with a \u201cdocument\u201d<\/p>\n<\/div>\n

Upon clicking the link, the user is directed to a sign-in form hosted on amazonaws.com<\/code>. This can easily mislead the victim, convincing them that what they\u2019re doing is safe.<\/p>\n

\"Phishing<\/a><\/p>\n

Phishing sign-in form<\/p>\n<\/div>\n

The resulting form is, of course, a phishing page, and any data entered into it goes directly to the attackers.<\/p>\n

Amazon SES and BEC<\/h2>\n

However, Amazon SES is used for more than just standard phishing; it\u2019s also a vehicle for a very sophisticated type of BEC campaigns. In one case we investigated, a fraudulent email appeared to contain a series of messages exchanged between an employee of the target organization and a service provider about an outstanding invoice. The email was sent as if from that employee to the company\u2019s finance department, requesting urgent payment.<\/p>\n

\"BEC<\/a><\/p>\n

BEC email featuring a fake conversation between an employee and a vendor<\/p>\n<\/div>\n

The PDF attachments didn\u2019t contain any malicious phishing URLs or QR codes, only payment details and supporting documentation.<\/p>\n

\"Forged<\/a><\/p>\n

Forged financial documents<\/p>\n<\/div>\n

Naturally, the email didn\u2019t originate with the employee, but with an attacker impersonating them. The entire thread quoted within the email was actually fabricated, with the messages formatted to appear as a legitimate forwarded thread to a cursory glance. This type of attack aims to lower the user\u2019s guard and trick them into transferring funds to the scammers\u2019 account.<\/p>\n

Takeaways<\/h2>\n

Phishing via Amazon SES is shifting from isolated incidents into a steady trend. By weaponizing this service, attackers avoid the effort of building dubious domains and mail infrastructure from scratch. Instead, they hijack existing access keys to gain the ability to blast out thousands of phishing emails. These messages pass email authentication, originate from IP addresses that are unlikely to be blocklisted, and contain links to phishing forms that look entirely legitimate.<\/p>\n

Since these Amazon SES phishing attacks stem from compromised or leaked AWS credentials, prioritizing the security of these accounts is critical. To mitigate these risks, we recommend following these guidelines:<\/p>\n