When Trusted Infrastructure Becomes a Weapon: How Amazon SES Fuels Phishing Attacks

Introduction

Cybercriminals constantly seek new ways to slip past email defenses and trick users into handing over sensitive information. In recent months, a particularly insidious tactic has gained traction: abusing legitimate cloud services to lend credibility to their malicious campaigns. Among these, Amazon Simple Email Service (SES) has emerged as a favored tool for phishing operations. By leveraging trusted infrastructure, attackers bypass traditional security filters and prey on the inherent trust users place in recognized domains.

The Danger of Abusing Amazon SES

Amazon SES is a cloud-based email platform designed for high-reliability delivery of transactional and marketing messages. It integrates seamlessly with the broader AWS ecosystem. On the surface, using SES for phishing looks like just another delivery channel, but its true danger lies in the trust factor. Emails sent through SES come from domains that users and security systems have long considered safe. They pass SPF, DKIM, and DMARC authentication checks with flying colors, and the Message-ID headers nearly always contain amazonses.com. From a technical perspective, every email sent via Amazon SES – even a malicious one – appears completely legitimate.

Attackers further exploit SES’s features. They mask phishing URLs behind legitimate redirects: a link may show amazonaws.com, luring a victim to click confidently, only to be redirected to a credential-harvesting page. Custom HTML templates, also permitted by SES, allow attackers to craft highly convincing emails that mimic official notifications. Because the sender’s IP address belongs to Amazon’s infrastructure, it never lands on reputation-based blocklists. Blocking all SES traffic would effectively shut down a massive portion of legitimate email, causing unacceptable collateral damage for organizations that rely on AWS-based communications.

How Attackers Gain Access to Amazon SES

In most cases, access to Amazon SES is obtained through leaked IAM (Identity and Access Management) access keys. Developers inadvertently expose these keys in public GitHub repositories, environment files, Docker images, configuration backups, or even in publicly accessible S3 buckets. Attackers actively scan for these exposures using automated tools, such as the open-source utility TruffleHog, which is designed to detect leaked secrets. Once a key is discovered, the attacker verifies its permissions and email-sending limits, then launches a massive phishing campaign.

Real-World Examples of SES-Based Phishing

In early 2026, one prevalent theme involved fake notifications from electronic signature services. A phishing email imitating DocuSign was sent via Amazon SES. The email’s technical headers confirm SES as the origin. At first glance, the message appears legitimate – it uses the same branding, layout, and language as authentic DocuSign communications. The link, however, leads to a fake login page that harvests credentials.

Other observed lures include fake alerts from financial institutions, package delivery scams, and urgent security warnings. In every case, the attacker relies on the trust associated with Amazon SES to evade detection and increase the likelihood of victim engagement.

How to Defend Against SES-Based Phishing

Defending against these attacks requires a multi-layered approach:

• Enhanced email filtering: Look beyond authentication checks. Analyze header anomalies, such as unusual Return-Path or Reply-To addresses, and flag emails with amazonses.com in Message-ID that do not match expected sender domains.
• User awareness training: Educate employees to scrutinize unexpected emails, even if they appear to come from trusted services. Highlight that legitimate companies never ask for passwords or sensitive data via email links.
• Monitor for leaked keys: Regularly scan code repositories, public S3 buckets, and configuration files for exposed AWS credentials. Use automated tools like TruffleHog or AWS’s own IAM Access Analyzer.
• Implement DMARC reports: Receive failure reports to identify unauthorized use of your domain, even if emails are sent via legitimate SES accounts.
• Restrict SES usage: If you use AWS, apply strict IAM policies that limit which services and regions can use SES. Enforce multi-factor authentication for all AWS accounts.

Conclusion

The abuse of Amazon SES represents a sophisticated evolution in phishing techniques, leveraging trusted cloud infrastructure to bypass conventional defenses. Attackers only need a set of leaked keys to launch convincing campaigns that fly under the radar. While platform providers like AWS continuously work to detect and prevent misuse, organizations must take proactive steps – from securing their own credentials to training users – to mitigate this growing threat. Understanding how these attacks work is the first step toward building resilience against them.