Amazon SES abused for sophisticated phishing attacks

The Amazon Simple Email Service (SES) is increasingly being abused to distribute convincing phishing emails that can bypass standard security filters and render reputation-based blocking ineffective. This surge in abuse is likely due to a significant number of exposed AWS Identity and Access Management access keys found in public repositories, based on information published by Bleeping Computer.

Attackers are leveraging Amazon SES, a legitimate and trusted service, to send malicious emails that bypass authentication checks like SPF, DKIM, and DMARC. Kaspersky researchers believe the primary driver for this abuse is the widespread exposure of AWS credentials in public assets such as GitHub repositories, .ENV files, and S3 buckets. Threat actors use automated tools like TruffleHog to scan for these leaked secrets, validate permissions, and then distribute a massive volume of phishing messages. The phishing campaigns are sophisticated, using custom HTML templates that mimic legitimate services like DocuSign and employing realistic login flows. They also include advanced business email compromise (BEC) attacks, fabricating email threads and fake invoices to trick finance departments.

Blocking the offending IP addresses is not a viable solution, as it would disrupt all legitimate emails sent via Amazon SES. Kaspersky recommends implementing least privilege IAM permissions, multi-factor authentication, regular key rotation, and IP-based access restrictions to mitigate these threats.

"If anyone suspects that AWS resources are being used for abusive activity, they can report it to AWS Trust & Safety," said an AWS spokesperson in a statement to Bleeping Computer.

Amazon said it quickly responds and takes appropriate action on reports of potential violations of its terms of service and referred to its guidance on protecting AWS accounts from unauthorized access.

Source: Bleeping Computer