Amazon SES Weaponized: Trusted Cloud Service Powers Sophisticated Phishing Wave

Urgent Alert: Attackers Exploit Amazon’s Email Service to Bypass Security

Cybercriminals are increasingly hijacking Amazon Simple Email Service (SES) to launch phishing campaigns that evade traditional defenses. Security researchers report a sharp uptick in attacks using legitimate Amazon infrastructure to deliver malicious messages. These emails pass all standard authentication checks, making them nearly indistinguishable from legitimate correspondence.

“Attackers aren’t using suspicious domains; they’re leveraging infrastructure that both users and security systems have grown to trust,” warned a senior threat analyst at a leading cybersecurity firm. “Every email sent via Amazon SES looks technically legitimate.”

The Danger: Trusted Infrastructure Undermines Email Security

Amazon SES is a cloud-based email platform for reliable transactional and marketing message delivery, integrated with AWS. Phishers misuse it by sending emails that include SPF, DKIM, and DMARC authentication, passing all standard provider checks. The Message-ID headers contain .amazonses.com, further reinforcing the illusion of legitimacy.

Attackers mask phishing URLs with redirects, so a link showing amazonaws.com leads to a fake site. Custom HTML templates from Amazon SES enable highly convincing forgeries. Because the IP addresses are from legitimate Amazon infrastructure, they don’t appear on reputation-based blocklists. “Blocking Amazon SES would disrupt millions of legitimate emails, causing massive false positives,” explained an email security engineer.

How Attackers Compromise Amazon SES

The breach often begins with leaked IAM (AWS Identity and Access Management) access keys. Developers expose these keys in public GitHub repositories, ENV files, Docker images, configuration backups, or publicly accessible S3 buckets. Automated bots using tools like TruffleHog scan for these credentials. Once verified, attackers gain sending permissions and blast out phishing emails at scale.

“We’re seeing a systematic harvesting of AWS keys from public code repositories,” a cloud security researcher noted. “It’s a low-effort, high-reward tactic for criminals.”

Real-World Example: Fake Docusign Notifications

One prevalent campaign in early 2026 mimics electronic signature service notifications. Emails purporting to be from Docusign carry technical headers proving they were sent via Amazon SES. The phishing attempt looks legitimate at first glance, with proper branding and a credible link structure.

Technical headers reveal the Amazon SES origin. The email passes all authentication checks, making it unlikely to be flagged by security filters. Recipients who click the link are redirected to a phishing page designed to steal credentials.

Background

Amazon Simple Email Service (SES) was designed for high-reliability transactional and marketing email delivery. It is widely used by businesses for sending invoices, receipts, and alerts. Its integration with AWS provides robust scalability and trust from email providers. However, this very trust is now being exploited. Attackers have long used legitimate services for phishing, but SES’s seamless authentication and high deliverability make it uniquely dangerous.

The attack vector relies on exposed IAM keys, a growing problem as developers inadvertently commit secrets to public repositories. Tools like TruffleHog automate the discovery of such leaks, enabling attackers to quickly compromise SES accounts.

What This Means

For organizations and individuals, this trend undermines the assumption that a valid SPF/DKIM/DMARC signature guarantees legitimacy. IT teams must implement advanced detection methods, such as analyzing email behavior and scanning for known phishing indicators beyond authentication headers. “Organizations should treat any email, even from trusted cloud providers, with caution,” advised a cybersecurity consultant. “User education and multi-factor authentication remain critical.”

Cloud providers like Amazon must intensify monitoring of their services for abuse. Developers need to adopt secret scanning tools and secure key storage. Until systemic changes occur, phishing campaigns using legitimate infrastructure like Amazon SES will continue to pose a severe threat.