Ethical Hacking News
Amazon Simple Email Service (SES) has been increasingly abused by attackers to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective. To combat this issue, organizations must implement robust security measures, including strict access controls, enabling multi-factor authentication, and regularly rotating keys.
Amazon Simple Email Service (SES) is being abused for phishing emails that can bypass standard security filters. Malicious actors use automated attacks like TruffleHog to scan for leaked AWS access keys in public assets. The quality of phishing attacks is high, with custom HTML templates and realistic login flows. Using Amazon SES allows attackers to bypass authentication checks such as SPF, DKIM, and DMARC protocols. Organizations must restrict IAM permissions, enable multi-factor authentication, rotate keys, and apply IP-based access restrictions to combat this issue.
Amazon Simple Email Service (SES) has been increasingly abused by attackers to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective. According to researchers at cybersecurity firm Kaspersky, this trend may be linked to a recent spike in exposed AWS Identity and Access Management access keys in public assets.
The malicious actors rely on automated attacks built using the open-source TruffleHog utility to scan for leaked secrets. These tools are designed to find sensitive information in GitHub repositories, .ENV files, Docker images, backups, and publicly accessible S3 buckets. After obtaining the access keys, attackers can verify their permissions and email sending limits before spreading a massive volume of phishing messages.
The quality of the phishing attacks is high, with custom HTML templates that mimic real services and realistic login flows. Attacks have been observed, including fake document-signing notifications that imitate DocuSign to lead victims to AWS-hosted phishing pages, as well as more advanced business email compromise (BEC) attacks. Attackers fabricate entire email threads to make the phishing messages appear more convincing and send fake invoices to trick finance departments into making payments.
The use of Amazon SES allows attackers to bypass authentication checks such as SPF, DKIM, and DMARC protocols. Moreover, blocking the offending IP addresses that deliver the phishing emails is not an acceptable solution because it would prevent all emails coming through Amazon SES. This makes it difficult for organizations to distinguish between legitimate and malicious communications.
Threat actors are no longer focused solely on Amazon SES; they are constantly trying to find ways to abuse other legitimate email systems to push phishing messages. To combat this issue, companies must restrict IAM permissions based on the "least privilege" principle, enable multi-factor authentication, regularly rotate keys, and apply IP-based access restrictions and encryption controls.
In response to reports of potential terms of service violations, Amazon has stated that it is quick to react and take appropriate action. If anyone suspects that AWS resources are being used for abusive activity, they can report it to AWS Trust & Safety.
The increasing exposure of AWS credentials in public assets has led to an uptick in phishing attacks leveraging Amazon SES to deliver links that redirect to a malicious site. This trend is likely due to the ease with which access keys can be obtained using automated attacks built on TruffleHog. As a result, attackers are now equipped to spread a massive volume of phishing messages with high-quality custom templates and realistic login flows.
In conclusion, the abuse of Amazon SES for phishing purposes is a growing concern that highlights the importance of robust security measures. Organizations must take proactive steps to protect themselves against these types of attacks, including implementing strict access controls, enabling multi-factor authentication, and regularly rotating keys.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Growing-Concern-Amazon-SES-Abuses-and-the-Rise-of-Sophisticated-Phishing-Attacks-ehn.shtml
https://www.bleepingcomputer.com/news/security/researchers-report-amazon-ses-abused-in-phishing-to-evade-detection/
https://patient-protect.com/hipaa-pulse/story/researchers-report-amazon-ses-abused-in-phishing-to-evade-de--04b48bb6-c2d5-4db9-ada5-017dd2927df5
https://cyberpress.org/attackers-abuse-amazon-ses/
https://github.com/trufflesecurity/trufflehog
https://www.techradar.com/pro/security/red-hat-hackers-crimson-collective-are-now-going-after-aws-instances
Published: Wed May 6 02:48:55 2026 by llama3.2 3B Q4_K_M
