Ddos 
Phishing email imitating a Docusign notification
A recent report from Kaspersky Labs reveals a disturbing surge in phishing campaigns leveraging Amazon Simple Email Service (Amazon SES) to bypass standard security filters and deceive even vigilant users.
By hijacking the infrastructure of one of the world’s most trusted cloud providers, scammers are successfully delivering malicious content that appears perfectly legitimate to both human eyes and automated defense systems.
The primary challenge in modern phishing is bypassing email security. Traditionally, attackers used suspicious domains that were quickly flagged by blocklists. However, the Kaspersky report notes that the “insidious nature of Amazon SES attacks lies in the fact that attackers aren’t using suspicious or dangerous domains; instead, they are leveraging infrastructure that both users and security systems have grown to trust”.
Why these emails are so dangerous:
- Authentication Success: These emails utilize SPF, DKIM, and DMARC protocols, meaning they pass standard provider checks.
- Technical Legitimacy: Headers almost always contain .amazonses.com, making them look technically flawless.
- IP Reputation: Because the sender’s IP belongs to Amazon, it won’t end up on reputation-based blocklists. Blocking these IPs would disrupt legitimate global mail delivery.
- Convincing Templates: Attackers use custom HTML templates to craft highly professional messages, such as fake DocuSign or Acrobat notifications.
Attackers rarely “hack” Amazon directly; instead, they exploit developer negligence. The most common point of entry is through leaked IAM (AWS Identity and Access Management) access keys. Scammers use automated bots, often based on tools like TruffleHog, to hunt for secrets left exposed in:
- Public GitHub repositories
- Environment (.ENV) files and Docker images
- Configuration backups or public S3 buckets
Once a key is found, phishers verify the sending limits and begin “blasting out thousands of phishing emails” that direct victims to sign-in forms hosted on legitimate domains like amazonaws.com, creating a false sense of safety.
Kaspersky also warns that Amazon SES is becoming a vehicle for advanced Business Email Compromise (BEC). In these scenarios, attackers don’t just send a link; they fabricate entire conversations. One investigation found an email that appeared to be an internal thread between an employee and a vendor regarding an outstanding invoice.
The attachments—forged financial documents like W-9 forms—contained no malicious URLs or QR codes. Instead, they contained “forged financial documents” with banking instructions to trick the finance department into a fraudulent wire transfer.
To mitigate the risks of AWS credential leaks and SES abuse, Kaspersky recommends several critical security measures:
- Principle of Least Privilege: Configure IAM keys to grant only the permissions necessary for the task.
- Transition to Roles: Move from permanent access keys to AWS roles with specific profiles.
- Enforce MFA: Enable multi-factor authentication across all AWS accounts.
- Key Rotation: Implement automated key rotation and conduct regular security audits.
- Centralized Management: Use the AWS Key Management Service to encrypt and manage unique cryptographic keys.
For the end user, you do not determine whether an email is safe based solely on the From field. Always verify unexpected document requests through a separate communication channel and carefully inspect the final destination of any link before clicking.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
