Attackers Abuse Amazon SES to Send Phishing That Passes Email Authentication
Kaspersky reported a rise in phishing campaigns that abuse Amazon Simple Email Service (SES) to deliver convincing messages through trusted cloud infrastructure. The activity is believed to be fueled by exposed AWS Identity and Access Management (IAM) access keys discovered in public GitHub repositories, .env files, Docker images, backups, and public S3 buckets. After validating stolen credentials—reportedly with automated secret-scanning and access-checking workflows—attackers use SES to send bulk phishing emails that can pass SPF, DKIM, and DMARC, reducing the effectiveness of reputation-based filtering.
Observed campaigns included fake DocuSign notifications that redirected targets to AWS-hosted credential-harvesting pages, as well as more advanced business email compromise attempts using fabricated email threads and fake invoices. Researchers urged organizations to enforce least-privilege IAM permissions, enable MFA, rotate keys regularly, apply IP-based access restrictions, and strengthen encryption controls around secrets. Amazon said it provides guidance for exposed credentials, responds to abuse reports, and directs suspected misuse of AWS resources to AWS Trust & Safety.
Timeline
May 4, 2026
Amazon issues response and abuse-reporting guidance
Amazon said it provides guidance on exposed credentials, responds quickly to abuse reports, and directs suspected abusive use of AWS resources to AWS Trust & Safety. The statement accompanied public reporting on the phishing abuse of SES.
May 4, 2026
Researchers link SES abuse to exposed AWS IAM credentials
Kaspersky assessed that the phishing activity is likely enabled by exposed AWS IAM access keys found in public assets such as GitHub repositories, .ENV files, Docker images, backups, and public S3 buckets. The researchers said attackers automate secret discovery, permission validation, and bulk email distribution, allowing malicious emails to pass SPF, DKIM, and DMARC checks because they originate from a trusted service.
May 4, 2026
Kaspersky observes rise in phishing sent through Amazon SES
Kaspersky reported an increase in phishing attacks in its telemetry that abuse Amazon Simple Email Service to send convincing emails that can evade standard security filters and reputation-based blocking. The campaigns included fake DocuSign notifications, AWS-hosted phishing pages, and more advanced business email compromise lures using fabricated threads and invoices.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
Email-borne scams abuse trusted SaaS infrastructure and authentication to bypass defenses
Threat actors are increasingly abusing **trusted SaaS platforms and email authentication** to deliver high-conviction scam lures that evade traditional filtering. Trend Micro reported a targeted spam operation that weaponizes **Atlassian Cloud** features to send messages that pass common checks (e.g., **SPF/DKIM**) due to the strong reputation of SaaS sender domains; the campaign is multilingual and aims to redirect government and corporate recipients to **fraudulent investment** landing pages using **Keitaro TDS**, with attackers creating multiple Atlassian instances for resilience and scale. Separately, Forcepoint X-Labs described phishing emails impersonating the **US Social Security Administration** that deliver a `.cmd` script to weaken Windows defenses (including disabling **SmartScreen**, removing **Mark-of-the-Web**, and using **Alternate Data Streams**) before silently installing **ConnectWise ScreenConnect** as a remote-access backdoor (including a hardcoded callback configuration). Related research highlighted **DKIM replay attacks**, where adversaries forward legitimate, DKIM-signed vendor emails (e.g., PayPal/DocuSign-style invoices and dispute notices) so the unchanged content continues to validate and can pass **DMARC**, increasing inbox placement and user trust for follow-on social engineering.
Today
Phishing Campaigns Exploiting Trusted Brands and Services
Threat actors have intensified their use of phishing campaigns by impersonating well-known brands and trusted online services to deceive victims and steal sensitive credentials. In one campaign identified by the Cofense Phishing Defense Center, attackers targeted individuals in social media and marketing roles by sending fake job application emails that appeared to originate from major companies such as Red Bull, Tesla, Google, and Ferrari. These emails used convincing language and branding, including up-to-date logos and tailored subdomains, to increase their legitimacy and lure recipients into clicking malicious links. The attackers further enhanced the credibility of their messages by spoofing the sender address to appear as if it came from a legitimate domain, such as Xero, which has been abused in previous phishing incidents. The phishing process often began with a CAPTCHA page to create a sense of security before redirecting victims to fraudulent login pages designed to harvest credentials. This approach demonstrates a sophisticated understanding of social engineering tactics and the value of resume and personal information in targeting specific job seekers. In a separate but similarly themed incident, a Malwarebytes employee was targeted by a phishing email that impersonated 1Password, a popular password manager. The email falsely claimed that the recipient's 1Password account had been compromised and urged immediate action, including changing the account password and enabling two-factor authentication. The message mimicked legitimate security alerts, referencing 1Password's Watchtower feature, but included subtle red flags such as a sender address not associated with 1Password and a malicious link disguised as a legitimate action button. The phishing link directed users to a typosquatted domain, onepass-word[.]com, rather than the official 1Password website. Interestingly, the email's 'Contact us' link routed through a legitimate support page but used a redirect service, further complicating detection. The use of Mandrillapp, a transactional email delivery service, added another layer of apparent legitimacy to the phishing attempt. Both campaigns highlight the increasing sophistication of phishing attacks, with threat actors leveraging trusted brands and services to bypass security filters and exploit user trust. The attackers' use of brand-specific subdomains, authentic-looking graphics, and familiar communication styles makes these phishing emails particularly convincing. By targeting individuals with tailored messages, such as job seekers or users of specific online services, the campaigns increase the likelihood of successful credential theft. The abuse of legitimate infrastructure, such as Xero's email services and Mandrillapp, demonstrates how attackers can exploit trusted platforms to evade detection. Security teams are advised to educate users about the signs of phishing, including checking sender addresses, scrutinizing URLs, and being wary of urgent requests for sensitive information. Organizations should also monitor for abuse of their brand in phishing campaigns and work with email providers to block malicious domains. The incidents underscore the need for robust email security solutions and ongoing vigilance against evolving social engineering tactics. As phishing campaigns continue to evolve, both individuals and organizations must remain alert to the latest techniques used by cybercriminals to compromise accounts and steal valuable data.
1 months ago
Phishing and fraud campaigns abusing trusted infrastructure and communications
Threat actors are increasingly improving phishing success rates by abusing *trusted* channels and infrastructure rather than relying on generic lures. One observed intrusion hijacked an active executive email thread via a compromised contractor account, allowing the attacker to reply inline with a link to a Microsoft 365 lookalike login flow; analysis of detonated samples indicated use of the **EvilProxy** adversary-in-the-middle phishkit, with layered anti-bot gating (e.g., Cloudflare Turnstile) and dynamic HTML/PDF content to capture credentials without exploiting software vulnerabilities. Separately, Rapid7 documented a cloud-abuse incident where attackers used **compromised AWS credentials** to stand up phishing/spam operations using **AWS WorkMail**, leveraging Amazon’s sender reputation and sidestepping typical **SES** anti-abuse controls while generating limited, service-native telemetry that can blend into normal administrative activity. A parallel, large-scale consumer fraud operation aligned with the **“PayTool”** ecosystem was reported targeting Canadian residents through SMS-driven lures (e.g., unpaid fines) that route victims through high-fidelity impersonations of the **Government of Canada**, **Air Canada**, and **Canada Post**, including province-selection workflows designed to mimic legitimate federal-to-provincial service handoffs before directing victims to localized scam domains. In contrast, LevelBlue SpiderLabs’ write-up is broader sector telemetry on education-targeted attacks (e.g., brute force `T1110`, credential dumping `T1003`, Kerberos ticket forgery `T1558`) and does not describe the same specific phishing/fraud campaigns, though it reinforces that credential theft remains a dominant initial access path across industries.
1 months ago