Amazon Simple Email Service (SES) is a light-weight, cost-effective email service that enables users to send and receive emails from their own domains.
However, Phishing attackers have begun leveraging this platform to bypass its authentication protocols and send mass phishing emails. Let’s take a closer look at how in this blog.
You might see a link pointing to something like amazonaws.com and assume it’s safe. Click it, and you’re quietly redirected to a phishing site instead. No alarms, no obvious warning signs.
Attackers also use custom HTML templates to make emails look polished and convincing. So instead of a badly formatted scam, you get something that looks like a proper business email.
Because it’s all sent through Amazon’s legitimate infrastructure, the sender’s IP won’t be blocked. If you tried blocking Amazon SES entirely, you’d probably break half your incoming emails.
Attackers often get in using leaked AWS IAM access keys. These keys permit the use of services like Amazon SES.
You’ll find them in:
There are automated tools (like TruffleHog) constantly scanning for this stuff. Once a key is found, attackers check what it can do, and if it allows email sending, that’s game over. They can start firing out phishing emails at scale.
This isn’t another phishing trend. It’s a concerning and growing shift in attacker behaviour, which will need to be made more aware to the general public.
Instead of trying to trick spam filters, attackers are working with trusted systems. That makes these emails much harder to detect and much more likely to land in inboxes.
We hope you’ve liked this blog. Stay tuned for more blogs like this. Stay safe!
