“Legitimate” phishing: how attackers weaponize Amazon SES to bypass email security

Kaspersky expert breaks down a new phishing scheme that uses the Amazon SES cloud email service. Let's look at some examples to see how you can tell a phishing email from a real one.

Introduction The primary goal for attackers in a phishing campaign is to bypass email security and trick the potential victim into revealing their data. To achieve this, scammers employ a wide range of tactics, from redirect links to QR codes. Additionally, they heavily rely on legitimate sources for malicious email campaigns. Specifically, we’ve recently observed an uptick in phishing attacks leveraging Amazon SES. The dangers of Amazon SES abuse Amazon Simple Email Service (Amazon SES) is a cloud-based email platform designed for highly reliable transactional and marketing message delivery.

It integrates seamlessly with other products in Amazon’s cloud ecosystem, AWS. At first glance, it might seem like just another delivery channel for email phishing, but that isn’t the case. The insidious nature of Amazon SES attacks lies in the fact that attackers aren’t using suspicious or dangerous domains; instead, they are leveraging infrastructure that both users and security systems have grown to trust. These emails utilize SPF, DKIM, and DMARC authentication protocols, passing all standard provider checks, and almost always contain . amazonses. com in the Message-ID headers.

Consequently, from a technical standpoint, every email sent via Amazon SES – even a phishing one – looks completely legitimate. Phishing URLs can be masked with redirects: a user sees a link like amazonaws. com in the email and clicks it with confidence, only to be sent to a phishing site rather than a legitimate one. Amazon SES also allows for custom HTML templates, which attackers use to craft more convincing emails. Because this is legitimate infrastructure, the sender’s IP address won’t end up on reputation-based blocklists. Blocking it would restrict all incoming mail sent through Amazon SES.

For major services, that kind of measure is ineffective, as it would significantly disrupt user workflows due to a massive number of false positives. How compromise happens In most cases, attackers gain access to Amazon SES through leaked IAM (AWS Identity and Access Management) access keys. Developers frequently leave these keys exposed in public GitHub repositories, ENV files, Docker images, configuration backups, or even in publicly accessible S3 buckets. To hunt for these IAM keys, phishers use various tools, such as automated bots based on the open-source utility TruffleHog, which is designed for detecting leaked secrets.

After verifying the key’s permissions and email sending limits, attackers are equipped to spread a massive volume of phishing messages. Examples of phishing with Amazon SES In early 2026, one of the most common themes in phishing emails sent with Amazon SES was fake notifications from electronic signature services. Phishing email imitating a Docusign notification The email’s technical headers confirm that it was sent with Amazon SES. At first glance, it all looks legitimate enough.