Attackers are increasingly abusing Amazon Simple Email Service (SES) to run phishing and Business Email Compromise (BEC) campaigns. Because emails sent via Amazon SES pass SPF, DKIM, and DMARC checks and originate from trusted IP addresses, they bypass standard security filters. Attackers typically gain access by harvesting leaked AWS IAM keys from public GitHub repos, Docker images, or S3 buckets using tools like TruffleHog. Phishing emails impersonate e-signature services and redirect victims to credential-harvesting pages hosted on amazonaws.com. BEC attacks go further, fabricating entire email threads to trick finance teams into transferring funds. Mitigations include applying least-privilege IAM policies, switching to IAM roles, enabling MFA, restricting IP-based access, rotating keys regularly, and using AWS KMS.
Table of contents
IntroductionThe dangers of Amazon SES abuseHow compromise happensExamples of phishing with Amazon SESAmazon SES and BECTakeawaysSort: