Amazon SES Under Siege: How Cybercriminals Weaponize Trusted Email Infrastructure – Breaking News
Urgent: Phishing Epidemic Exploits Amazon SES to Bypass Email Defenses
Cybersecurity analysts report a sharp uptick in phishing campaigns leveraging Amazon Simple Email Service (Amazon SES), allowing attackers to send fraudulent emails that pass all standard security checks. These messages appear legitimate because they originate from Amazon's trusted infrastructure, complete with verified SPF, DKIM, and DMARC signatures.
"Attackers are abusing Amazon SES because it's a service that both users and email security systems inherently trust," said Dr. Jane Holloway, a senior threat researcher at CyberGuard Labs. "Each email includes .amazonses.com in the Message-ID header, making it technically indistinguishable from a legitimate Amazon SES message."
How the Attack Works
In most cases, threat actors gain access to Amazon SES via leaked AWS IAM access keys. These keys are frequently exposed in public GitHub repositories, Docker images, configuration backups, or even misconfigured S3 buckets.
Cybercriminals use automated tools such as TruffleHog, an open-source secret scanner, to hunt for these credentials. Once they verify the key's permissions and sending limits, they can dispatch thousands of phishing emails in minutes.
The phishing emails often mimic trusted services like DocuSign or other electronic signature platforms. A user sees a link pointing to amazonaws.com and clicks it with confidence, only to be redirected to a fraudulent site designed to steal credentials.
Background: Why Amazon SES Is a Prime Target
Amazon Simple Email Service is a cloud-based platform for high-reliability transactional and marketing email. It integrates seamlessly with AWS services and is widely used by legitimate businesses, giving it a strong reputation with email providers.
Because the messages come from Amazon's IP ranges, they are rarely placed on reputation-based blocklists. Blocking all Amazon SES traffic would cripple many organizations' daily operations, as it would also block legitimate correspondence from thousands of companies.
Additionally, Amazon SES allows custom HTML templates, which attackers use to craft convincing emails that mirror official communications down to the branding and layout.
What This Means for Organizations
The abuse of Amazon SES poses a serious challenge for security teams. Traditional email security measures—such as SPF, DKIM, and DMARC—are rendered ineffective because the phishing messages pass all these checks.
"The only viable defense is to focus on user awareness and robust IAM key management," explained Holloway. "Companies must audit their public repositories and cloud configurations for exposed credentials, and implement automated scanning to detect leaks before attackers do."
Further complicating the issue, simply blocking Amazon SES is not an option for most enterprises without causing widespread disruption. Security leaders are urged to adopt advanced detection techniques that analyze email behavior and link destinations rather than relying solely on reputation.
Real-World Example: Fake DocuSign Notifications
One prevalent campaign observed in early 2026 involved phishing emails mimicking DocuSign. Headers confirmed the emails were sent via Amazon SES, and the content appeared authentic, with legitimate-looking branding and a convincing call to action.
These attacks highlight the sophistication of modern phishing. The attackers are no longer using suspicious domains; they are weaponizing the very infrastructure that makes the internet function.
How to Protect Your Organization
- Continuous monitoring of source code repositories for leaked AWS keys using tools like TruffleHog or commercial secret scanners.
- Implement strict IAM policies with least privilege, and rotate keys regularly.
- Train employees to verify unexpected email requests, even if they appear to come from trusted domains.
- Deploy advanced email security solutions that inspect URL redirect paths and detect anomalous sending patterns.
This breaking story underscores a critical shift in phishing tactics: legitimate platforms are no longer just a delivery channel—they are the weapon itself. Read the background for more context.