Amazon SES Phishing: How Attackers Exploit Trusted Email Infrastructure
By ✦ min read
<p>Phishing attacks are evolving, and cybercriminals have found a clever way to use Amazon's trusted email service to bypass security filters. Below, we answer the most pressing questions about this threat, from how attackers gain access to how you can spot the signs of a fraudulent email.</p>
<h2 id="q1">What is Amazon SES and why do attackers use it for phishing?</h2>
<p>Amazon Simple Email Service (Amazon SES) is a cloud-based platform designed for sending transactional and marketing emails with high reliability. It integrates seamlessly with AWS and is trusted by countless organizations. Attackers exploit this trust because emails sent via Amazon SES appear completely legitimate to security systems. They pass SPF, DKIM, and DMARC checks, come from IP addresses not on blocklists, and include <em>.amazonses.com</em> in message headers. This makes each email look authentic, even when it contains phishing links. By leveraging a trusted infrastructure, attackers significantly increase the chance that their malicious messages will land in inboxes and be clicked by unsuspecting recipients.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/05/04081024/amazon-ses-phishing-featured-image-scaled.jpg" alt="Amazon SES Phishing: How Attackers Exploit Trusted Email Infrastructure" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure>
<h2 id="q2">How do attackers gain access to Amazon SES?</h2>
<p>The most common method is through leaked AWS Identity and Access Management (IAM) access keys. Developers often accidentally expose these keys in public GitHub repositories, environment files, Docker images, configuration backups, or even in publicly accessible S3 buckets. Attackers use automated tools like TruffleHog to scan for these secrets. Once they find valid keys, they verify permissions and email sending limits, then use Amazon SES to send massive volumes of phishing emails. This approach allows them to operate under the radar, as the emails originate from a legitimate, trusted source.</p>
<h2 id="q3">What makes these phishing emails appear legitimate?</h2>
<p>Several technical factors combine to make Amazon SES phishing emails look 100% authentic. First, the emails include proper SPF, DKIM, and DMARC authentication, so they pass all standard email security checks. Second, the sender's IP addresses are not on any reputation-based blocklists because they belong to Amazon AWS—blocking them would disrupt legitimate mail delivery for many organizations. Third, Amazon SES allows custom HTML templates, which attackers use to craft convincing messages that mimic trusted brands like Docusign or other electronic signature services. Even the Message-ID headers contain <em>.amazonses.com</em>, reinforcing the appearance of legitimacy. As a result, both users and security systems are easily fooled.</p>
<h2 id="q4">What are some examples of phishing emails sent via Amazon SES?</h2>
<p>In early 2026, a common theme was fake notifications from electronic signature services like Docusign. These emails would appear to require the recipient to sign a document urgently. The email headers confirm they were sent via Amazon SES, making the phishing attempt look completely real. Attackers use redirect links that appear to point to <em>amazonaws.com</em> but actually lead to phishing sites. Because the email passes all security checks and comes from a trusted domain, recipients often click without suspicion. Other examples include fake account alerts, payment confirmations, or security warnings from well-known services, all leveraging Amazon SES to bypass filters.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/05/04081024/amazon-ses-phishing-featured-image-800x450.jpg" alt="Amazon SES Phishing: How Attackers Exploit Trusted Email Infrastructure" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure>
<h2 id="q5">Can organizations block Amazon SES to prevent these attacks?</h2>
<p>Blocking Amazon SES entirely is not a practical solution. Because many legitimate organizations rely on it for their email communications, blocking it would cause massive false positives and disrupt essential workflows. Instead, organizations must adopt more sophisticated defenses. These include employee training to spot suspicious email elements, such as unexpected requests for login credentials or unusual URLs even within trusted domains. Additionally, security teams can use behavior-based analytics and anomaly detection to identify patterns of phishing activity that may originate from Amazon SES. Implementing advanced email security solutions that go beyond basic authentication checks is also crucial.</p>
<h2 id="q6">How can users identify phishing emails even if they pass security checks?</h2>
<p>Users should be trained to look for subtle clues that a legitimate-looking email might be phishing. For example, check the actual URL in the email by hovering over links—even if the visible text says <em>amazonaws.com</em>, the underlying link might lead to a different domain. Be cautious of emails that create a sense of urgency, such as “Sign immediately or your account will be closed.” Also, scrutinize the sender’s display name and email address for any inconsistencies. If an email appears to come from a trusted service like Docusign but the message contains generic greetings or minor grammatical errors, it could be a phishing attempt. Always access such services directly via their official websites rather than clicking links in emails.</p>
Tags: