Phishers abuse Amazon SES to evade detection
▼ Summary
– Kaspersky reports a rise in phishing attacks abusing Amazon SES to send convincing emails that bypass standard security filters.
– The increase is linked to a large number of exposed AWS IAM access keys found in public assets like GitHub repositories and S3 buckets.
– Attackers use automated tools like TruffleHog to scan for leaked keys and validate permissions for mass email distribution.
– The phishing campaigns include fake DocuSign notifications and business email compromise attacks with fabricated email threads and invoices.
– Amazon recommends restricting IAM permissions, enabling MFA, rotating keys, and applying IP-based restrictions; it also encourages reporting suspected abuse to Trust & Safety.
Cybersecurity researchers at Kaspersky have identified a troubling rise in phishing campaigns that exploit Amazon Simple Email Service (SES) to bypass conventional email security measures. By routing malicious emails through a trusted platform like Amazon SES, attackers can evade reputation-based detection and authentication checks, making their campaigns far more difficult to stop.
Kaspersky’s latest report highlights that this uptick in abuse is likely fueled by the growing number of AWS Identity and Access Management (IAM) access keys exposed in public repositories, configuration files, and cloud storage. These credentials are often discovered automatically using tools like TruffleHog, an open-source scanner designed to hunt for leaked secrets. Once attackers obtain valid keys, they can verify permissions and sending limits, then unleash a flood of phishing emails from a legitimate source.
The quality of these phishing attempts is notably high, according to Kaspersky. Attackers craft custom HTML templates that closely mimic real services, complete with realistic login flows. Observed examples include fake DocuSign document-signing notifications that direct victims to AWS-hosted phishing pages. More sophisticated attacks involve business email compromise (BEC) schemes, where threat actors fabricate entire email threads and send fake invoices to deceive finance departments into making fraudulent payments.
Because Amazon SES is a reputable service, emails sent through it automatically pass SPF, DKIM, and DMARC authentication checks. This makes it nearly impossible for security filters to flag them based on origin alone. Blocking the IP addresses used by SES is also not a viable option, as that would disrupt legitimate email delivery for countless organizations.
Kaspersky advises companies to adopt strict least privilege IAM policies, enable multi-factor authentication, regularly rotate access keys, and enforce IP-based restrictions and encryption controls. In response to the findings, an Amazon spokesperson told BleepingComputer that the company provides guidance on handling exposed credentials and protecting against unauthorized access. Amazon also emphasized that it acts quickly on reports of potential terms of service violations and encourages users to report suspected abuse to AWS Trust & Safety.
This trend is not limited to Amazon SES. Kaspersky warns that threat actors are continuously seeking ways to exploit other legitimate email systems for phishing, underscoring the need for constant vigilance and layered security defenses.
(Source: BleepingComputer)