Security & Infrastructure Tools
Amazon SES increasingly abused in phishing to evade detection
Kaspersky reports a surge in phishing using Amazon SES to bypass security filters, fueled by widespread exposure of AWS credentials in public repos, Docker images, and backups. Attackers automate secret discovery (e.g., with TruffleHog) to validate keys and blast realistic phishing campaigns—including DocuSign-like notices and fake invoices—without triggering SPF/DKIM/DMARC blocks. Blocking SES IPs is ineffective since SES is a trusted service. Recommended mitigations: enforce least-privilege IAM, enable MFA, rotate keys regularly, apply IP-based access controls, and use encryption.
Amazon SES Increasingly Abused in Phishing to Evade Detection
OverviewThe Amazon Simple Email Service (SES) is facing a surge in phishing campaigns that leverage its legitimate infrastructure to bypass common security filters. By exploiting trusted email sending channels, attackers deliver convincing messages that can bypass standard reputation-based blocks and authentication checks. The pattern builds on past abuse, but the current wave appears to be driven by a growing pool of publicly exposed AWS credentials that attackers harvest and re-use at scale.
Underlying Drivers
- Widespread exposure of AWS credentials in public assets
- GitHub repositories, .ENV configuration files, Docker images, backups, and publicly accessible S3 buckets are routinely scanned for leaked keys.
- Automated credential discovery and use
- Bots employing tools like TruffleHog streamline secret discovery, permission validation, and the deployment of phishing emails through SES.
- Rapid scalability of phishing operations
- Once a key’s permissions and sending limits are verified, attackers can flood targets with large volumes of messages, increasing the likelihood that at least a portion reach victims.
Key characteristics of the abuse
- High-quality phishing content
- The phishing emails often use custom HTML templates that mimic legitimate services and realistic login flows, enhancing credibility.
- Varied and convincing lure techniques
- Fake document-signing notifications (imitating DocuSign) lead recipients to AWS-hosted phishing pages.
- Business email compromise (BEC) variants target finance teams with deceptive invoices and payment requests.
- Sophisticated email threads
- Attackers craft entire email threads to appear legitimate, making the messages harder to distinguish from real correspondence.
Attack Surface and Workflow
- SES as a permissive conduit
- Since SES is a trusted, widely used service, attackers can send emails that pass basic authentication checks, reducing friction compared to other channels.
- Bypassing standard defenses
- With SES, concerns about SPF, DKIM, and DMARC can be minimized or effectively bypassed, complicating traditional defense mechanisms.
- Distribution challenges for defenders
- Blocking or throttling specific SES IPs can disrupt legitimate email flow, complicating any straightforward response.
Notable Phishing Scenarios
- DocuSign-like document notices
- Victims are guided to phishing pages hosted on AWS infrastructure, where credential harvesting can occur under the guise of document signing.
- Fake invoices and accounting lures
- Targeted messages revolve around payment requests, attempting to trigger routine finance processes.
- Realistic email threads
- Attackers simulate ongoing conversations to lend authenticity and reduce suspicion.
Impact and Implications
- Increased attacker throughput
- The combination of automated key discovery and SES-based delivery enables higher volumes of phishing content than many defenses were built to handle.
- Greater realism and lower detection rates
- The use of template-driven, service-mimicking designs raises the bar for quickly distinguishing phishing from legitimate messages.
- Shifting the defense paradigm
- As attackers exploit SES’s legitimate status, traditional blocklists and sender reputation measures become less reliable indicators of risk.
Visual and Documentary Artifacts
- Header and body styling
- Phishing headers and layouts mirror common corporate mail formats, adding to the deception.
- Supporting documents
- Fabricated documents accompany the emails to bolster the appearance of authenticity and to justify the illicit flow of information or funds.
Context and Related Trends
- The security community’s focus on credential hygiene
- The surge in SES-based phishing aligns with ongoing concerns about credential exposure in developer and ops environments.
- The evolving threat landscape
- Beyond SES, threat actors continue to adapt by combining leaked secrets with trusted infrastructure to broaden reach and complicate detection.
Observations from Security Research
- Researchers note a discernible uptick in SES-enabled phishing
- Analyses highlight the increasing role of AWS credential exposure as the gateway enabling this wave.
- The attack chain is now tightly automated
- Automated secret scanning, permission validation, and email distribution form a streamlined workflow that accelerates phishing campaigns.
Concluding Thoughts
- The intersection of exposed credentials and trusted email infrastructure has created a potent phishing vector.
- Attackers are leveraging the perceived legitimacy of SES to bypass common defenses, delivering highly convincing messages at scale.
- The landscape underscores the importance of credential hygiene and the need for evolving detection approaches that account for trusted service abuse in email ecosystems.
