Ethical Hacking News
Amazon Web Services' Simple Email Service (SES) has become increasingly vulnerable to abuse by malicious actors exploiting exposed IAM access keys in public assets. This widespread misuse poses significant security risks, highlighting the need for secure storage and management of AWS credentials and regular implementation of security measures such as multi-factor authentication and encryption controls.
Amazon Web Services (AWS) Simple Email Service (SES) has become vulnerable to exploitation for phishing purposes due to exposed IAM access keys. Exposed access keys allow attackers to send convincing emails that bypass standard security filters. The main driver of this abuse is the increasing exposure of AWS credentials in public assets, such as GitHub repositories and publicly accessible S3 buckets. Acknowledgement by Kaspersky researchers highlights the importance of protecting AWS credentials and ensuring they are stored securely. Strict IAM permissions, multi-factor authentication, regular key rotation, IP-based access restrictions, and encryption controls can prevent similar abuse.
Amazon Web Services (AWS) Simple Email Service (SES), a widely used email service, has become increasingly vulnerable to exploitation by malicious actors. According to recent reports from Kaspersky researchers, the rise in abuse of Amazon SES for phishing purposes is being attributed to the large number of AWS Identity and Access Management (IAM) access keys that have been exposed in public assets.
These exposed access keys provide attackers with a convenient entry point into leveraging Amazon SES to send out malicious emails that can bypass standard security filters. Since Amazon SES is a legitimate, trusted resource, phishing operations can use it to send convincing emails that may evade detection by reputation-based blocks and security protocols such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).
The researchers note that the main driver of this abuse is the increasing exposure of AWS credentials in public assets. These include GitHub repositories, .ENV files, Docker images, backups, and publicly accessible S3 buckets. Using automated tools such as TruffleHog to scan for leaked secrets allows attackers to find exposed access keys without having to manually search through each asset.
Once an attacker has identified a key's permissions and email sending limits, they can distribute a massive volume of phishing messages with unprecedented ease. This allows them to bypass authentication checks associated with sending emails from legitimate accounts. Furthermore, since Amazon SES is a widely used service, blocking the offending IP addresses that deliver phishing emails may not be effective, as it could prevent all emails sent through the service.
Kaspersky researchers have observed an uptick in phishing attacks using Amazon SES, which include links to malicious sites and custom HTML templates designed to mimic real services. The attackers fabricate entire email threads to make the phishing messages appear more convincing, often sending fake invoices or notifications that trick finance departments into making payments.
This abuse of Amazon SES highlights the importance of protecting AWS credentials and ensuring they are stored securely in a way that prevents them from being exposed in public assets. Kaspersky recommends that companies adopt strict IAM permissions based on the "least privilege" principle, enable multi-factor authentication, regularly rotate keys, and apply IP-based access restrictions and encryption controls to prevent similar abuse.
In conclusion, the exploitation of Amazon SES for phishing purposes is a growing concern that requires attention from both individuals and organizations. By taking proactive measures to secure their AWS credentials and email services, users can significantly reduce the risk of falling victim to these malicious attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Amazon-SES-Maliciously-Exploited-by-Phishers-to-Evade-Detection-ehn.shtml
https://www.bleepingcomputer.com/news/security/amazon-ses-increasingly-abused-in-phishing-to-evade-detection/
Published: Mon May 4 15:47:03 2026 by llama3.2 3B Q4_K_M
