Email Marketing

The Hijacked Pipeline: How Cybercriminals Are Weaponizing Trusted Email Infrastructure

In the evolving landscape of cyber warfare, the most effective weapon is often one that the target already trusts. A new, alarming trend identified by Kaspersky researchers reveals that phishing campaigns are no longer merely circumventing security filters—they are using the filters’ own logic against them. By hijacking Amazon Web Services (AWS) credentials, threat actors are leveraging Amazon Simple Email Service (SES) to launch high-fidelity phishing attacks that bypass the industry’s most robust authentication protocols.

This is not a story of a platform vulnerability, but of human and systemic oversight. As organizations increasingly rely on cloud infrastructure for automated communications, the security of their API keys has become as critical as the security of their primary email domains.


The Core Mechanism: Trust as a Vulnerability

The fundamental problem facing email security today is the reliance on reputation-based filtering. Technologies such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) were designed to verify that an email originated from an authorized source.

When an attacker hijacks a legitimate AWS SES account, they aren’t "spoofing" a domain; they are sending mail through the actual, authorized, and reputation-rich infrastructure of the domain owner. Because the email originates from Amazon’s IP space and bears the correct cryptographic signatures, it is treated by spam filters as a "known good" message. To a security gateway, the email is indistinguishable from a legitimate transactional receipt or a verified corporate notification.

Kaspersky’s assessment is blunt: this is no longer a collection of isolated incidents. It has transitioned into a sophisticated, scalable, and steady industry trend.


Chronology of an Attack: From Developer Error to Inbox Breach

The lifecycle of these phishing campaigns typically follows a predictable, highly automated trajectory.

1. The Reconnaissance Phase

The attack almost never begins at the email inbox. It begins in the developer ecosystem. Attackers utilize automated scanning tools—such as TruffleHog, git-secrets, or custom scripts—to scour public code repositories like GitHub for exposed environment files (.ENV), Docker configurations, and accidentally committed AWS IAM (Identity and Access Management) keys.

2. The Verification Phase

Once a harvest is complete, attackers do not immediately spam. They methodically analyze the permissions attached to the stolen keys. They specifically look for accounts with ses:SendEmail permissions and, crucially, accounts with mature, high-volume sending quotas. A "warmed" account that has built up a positive sender reputation over months or years is the ultimate prize.

3. The Deployment Phase

With the keys in hand, the attacker bypasses the "warm-up" period required for new domains. They immediately begin sending out mass campaigns. By using the compromised account’s established reputation, they ensure high deliverability rates that would be impossible for an attacker using a newly registered domain.

4. The Victim Interaction

The campaigns are characterized by their high level of polish. Two primary attack vectors have emerged:

  • Document Forgery: Attackers mimic platforms like DocuSign or Adobe Acrobat, sending notifications that appear to be urgent document-signing requests. These lead to sophisticated credential-harvesting pages hosted on AWS infrastructure, further lending the attack an air of legitimacy.
  • Business Email Compromise (BEC): In more targeted plays, attackers use the hijacked SES account to inject themselves into ongoing business threads, fabricating invoices or urgent payment requests that look identical to legitimate correspondence from the compromised organization.

The "Too Big to Block" Dilemma: Why Defenses Fail

The structural challenge posed by this trend is existential for cybersecurity professionals. Standard mitigation strategies are rendered ineffective by the very nature of cloud-native infrastructure.

The Failure of IP Blocking

In traditional phishing, security teams block the IP address of the malicious sender. However, AWS SES operates on a massive, shared IP pool. Blocking the IPs responsible for a phishing campaign would inadvertently block millions of legitimate transactional emails—order confirmations, password resets, and marketing communications—that rely on that same infrastructure. The collateral damage is simply too high for any business-critical environment.

The Paradox of Authentication

SPF, DKIM, and DMARC are the industry standard for preventing domain spoofing. In this scenario, however, they act as an accomplice. Because the email is technically "authorized" by the domain’s configuration, these protocols provide a false sense of security. They confirm the identity of the sender, but they cannot confirm the intent of the entity holding the keys.

The "Shared Fate" Model

This phenomenon highlights the dark side of shared cloud infrastructure. When one customer’s credentials leak, the integrity of the entire platform is degraded. If a malicious actor uses a hijacked account to send high volumes of phishing mail, the sender reputation of that specific AWS region or pool can suffer, negatively impacting all other legitimate businesses sharing that pipeline.


Implications for the Modern Enterprise

The Kaspersky findings serve as a wake-up call for the "Shift Left" security movement. If your organization relies on AWS SES, your email deliverability is now inextricably linked to your developer security practices.

The New Security Perimeter

Email security can no longer be siloed within the IT or Marketing departments. It now encompasses:

  • Secret Management: Any developer workstation, CI/CD pipeline, or build artifact containing an AWS IAM key is a potential entry point for a phishing campaign.
  • Least-Privilege Enforcement: The practice of assigning broad, long-lived access keys to applications is a critical risk. If an application does not need to send email, it should not have the permissions to do so.
  • The Retirement of Static Keys: Organizations should shift toward using IAM roles and temporary security tokens wherever possible, significantly reducing the window of opportunity for an attacker if a credential is leaked.

Official Responses and Remediation Strategies

While Amazon Web Services maintains a robust Trust and Safety team that actively monitors for abuse, the responsibility for securing access keys remains firmly with the customer.

Industry experts, including those from Kaspersky, recommend a multi-layered defensive posture to mitigate these risks:

  1. Automated Secret Scanning: Organizations should integrate secret scanning tools into their CI/CD pipelines to ensure that no hardcoded credentials are ever pushed to version control.
  2. Restrict API Access: Where feasible, API access should be restricted to specific CIDR blocks or IP ranges, preventing a stolen key from being used by an attacker outside the organization’s network.
  3. MFA for Identity: Implementing Multi-Factor Authentication (MFA) for all IAM users is the most effective barrier against the unauthorized use of compromised credentials.
  4. Rotation Policies: Enforce strict key rotation policies. A stolen key that is rotated every 30 days is significantly less valuable to an attacker than a permanent, long-lived credential.
  5. Monitoring and Alerting: Utilize Amazon CloudWatch and AWS CloudTrail to monitor for unusual patterns in SES usage, such as sudden spikes in sending volume or requests originating from unusual geographies.

Conclusion: The Trust Gap

The rise of SES-based phishing is a symptom of a larger, systemic shift in the threat landscape. Attackers are moving away from brute-force tactics and toward the exploitation of the "trust signals" that govern the modern internet.

We have spent decades building a framework—SPF, DKIM, DMARC—designed to verify that a sender is who they claim to be. While these protocols successfully prevent domain spoofing, they were never designed to detect the authorized abuse of a compromised identity. As we move forward, the industry must grapple with a difficult reality: in a world of automated infrastructure, the ability to authenticate a message is no longer a guarantee of its safety.

Trust, as it turns out, is a fragile commodity. Once the keys to the kingdom are lost, the kingdom itself becomes the attacker’s most potent tool. For the enterprise, the lesson is clear: your email security strategy is now only as strong as your weakest developer’s secret management practice.