In the evolving arms race between cybersecurity defenders and malicious actors, a new, sophisticated threat has emerged that subverts the very foundation of email trust. Kaspersky researchers have identified a sharp, systematic surge in phishing campaigns utilizing Amazon Simple Email Service (SES). However, the danger does not lie in a technical vulnerability within Amazon’s architecture; rather, it stems from the systematic hijacking of AWS credentials from legitimate organizations.
By seizing control of established, authenticated accounts, attackers are bypassing the multi-layered security gates that typically catch phishing attempts. Because these emails originate from genuine Amazon infrastructure and carry valid cryptographic signatures, they effectively "launder" malicious messages through the world’s most trusted sending pipes. This shift marks a transition from isolated, amateurish spam to a professionalized, high-yield supply chain attack.
The Supply Chain of Stolen Trust: Chronology of an Attack
The lifecycle of an SES-based phishing attack rarely begins at the target’s inbox. It starts with the digital equivalent of leaving a key under the doormat.
1. The Harvesting Phase
The attack cycle typically begins with the unauthorized discovery of AWS Identity and Access Management (IAM) keys. These credentials, often accidentally embedded in public GitHub repositories, exposed .env files, Docker images, or misconfigured S3 buckets, act as the gateway. Using automated scanners—tools often borrowed from legitimate security research, such as TruffleHog—threat actors continuously scrape the public web for long-lived access keys.
2. The Qualification Phase
Once a haul of keys is harvested, the attackers perform a methodical assessment. They do not use all keys equally; they specifically filter for accounts with mature SES permissions. They look for "warmed-up" accounts: those with a history of legitimate sending, high daily quotas, and an established reputation with mailbox providers. By compromising an active business account, the attacker inherits years of trust instantly.
3. The Deployment Phase
With the credentials validated, the attacker bypasses the "warm-up" period required for new domains. They inject their malicious payloads—frequently mimicking high-stakes services like DocuSign or generating fake internal invoices—directly into the hijacked pipeline. Because the sender identity is legitimate, the emails pass SPF, DKIM, and DMARC checks with flying colors.
Supporting Data: Why "Too Big to Block" is the Attacker’s Greatest Ally
The structural efficiency of this attack vector creates a nightmare for IT administrators and security operations centers (SOCs). To understand the severity, one must look at why conventional defensive postures fail.
- The Reputation Trap: Traditional anti-spam filters rely on reputation scores tied to IP addresses and sending domains. In this scenario, the reputation is legitimate. Blocking the IP ranges associated with Amazon SES would effectively disable critical business operations for millions of companies worldwide, including transaction notifications, password resets, and customer support alerts. Consequently, organizations are forced to accept the risk of the platform to maintain business continuity.
- Authentication Paradox: SPF, DKIM, and DMARC were designed to prevent spoofing. However, these protocols only verify that a message was sent by an authorized source. If an attacker has the keys, they are the authorized source. The protocol is performing exactly as intended, which is precisely why it is failing to stop the attack.
- Velocity of Abuse: Kaspersky’s data suggests this is no longer a sporadic occurrence. The ease with which attackers can transition from "key discovery" to "phishing execution" means that a single leak can result in thousands of malicious emails being dispatched within minutes, long before the legitimate account owner notices a spike in their AWS billing or SES bounce rates.
The Anatomy of the Phish: Polished Deception
The campaigns observed by Kaspersky are not the poorly formatted, grammatically incorrect messages of the past. These are high-fidelity replicas of corporate communication.
The two dominant patterns are:
- Document Signing Fraud: By mimicking industry-standard document platforms like DocuSign, attackers exploit the urgency of business workflows. The emails contain links that lead to credential-harvesting landing pages, which are often hosted on AWS infrastructure, ensuring that even the target’s browser security flags the URL as "safe" or "trusted."
- Business Email Compromise (BEC): Perhaps more damaging, attackers are using hijacked accounts to participate in active email threads. By injecting themselves into ongoing conversations or fabricating fake invoices for finance departments, they utilize the inherent trust of an existing relationship to conduct wire fraud.
This is the "grown-up" version of platform abuse. Whereas previous campaigns relied on the notification features of Google Forms or Tasks, this approach takes direct control of the entire pipeline, granting the attacker total control over the email’s content, attachments, and headers.
Official Responses and Industry Implications
While Amazon Web Services maintains robust security protocols, the responsibility for securing IAM credentials remains with the customer. AWS Trust & Safety teams are actively involved in responding to reports of abuse, but the sheer scale of the automated harvesting makes reactive cleanup a game of whack-a-mole.
The implications for the broader email ecosystem are profound. The industry is witnessing a shift where the "signals of trust"—the cryptographic signatures we rely on—are being weaponized against us.
"We are seeing a convergence where the infrastructure used for legitimate commerce is being cannibalized by the very people trying to destroy it," notes one security analyst. "The authentication markers that were meant to signal ‘safety’ are now just as likely to signal ‘a successful account takeover.’"
The Deliverability Lesson: Security as an Operational Requirement
The conclusion for modern enterprises is clear: email deliverability is no longer just about DNS records and list hygiene. It is fundamentally a matter of cloud infrastructure security. A leaked access key in a developer’s side project can do more damage to an organization’s sending reputation—and its financial bottom line—than a year of poor email marketing practices.
Strategic Mitigations for Organizations:
- Adopt Least-Privilege IAM: No long-lived access key should possess
ses:SendEmailpermissions by default. Use scoped-down policies that limit the ability of a key to only what is strictly necessary for its specific function. - Move to IAM Roles: Eliminate static access keys wherever possible. Utilize IAM roles, which provide temporary, rotating credentials that significantly reduce the window of opportunity for an attacker.
- Implement Secrets Scanning: Organizations must proactively scan their internal code repositories, build artifacts, and CI/CD pipelines for leaked secrets. If the attackers are using open-source scanners to find your keys, you should be using those same tools to find them first.
- Enforce MFA and IP Restrictions: Where feasible, restrict API access to specific, known IP ranges. Adding a layer of Multi-Factor Authentication (MFA) to sensitive AWS operations is a baseline requirement in the current threat landscape.
- Rotation Policies: Automated, frequent rotation of access keys limits the "shelf-life" of a stolen credential, rendering harvested data useless shortly after it is acquired.
Conclusion: Reimagining Trust
The rise of SES-based phishing represents a pivot point in the history of internet security. As we continue to refine the mechanisms of email authentication, we must acknowledge that our current models of trust are reaching their limits.
Authentication tells us who authorized a message, but it cannot tell us if the owner of that authorization is the one currently holding the keys. As attackers become more proficient at hijacking the infrastructure of the cloud, the burden of security shifts back to the developer and the enterprise. In this new era, the strongest firewall is no longer a perimeter defense; it is the rigorous, disciplined management of the keys to the kingdom. If you cannot secure your credentials, you have already ceded the trust that your customers place in your brand.
