Amazon SES Exploited in Massive Phishing Campaign; Experts Warn of Credential Theft

Breaking: Amazon Simple Email Service Abused in Large-Scale Phishing Attacks

Hackers are systematically stealing access to legitimate Amazon Web Services (AWS) tools, primarily Amazon Simple Email Service (SES), to launch a massive volume of phishing attacks, cybersecurity experts warn. This campaign has already targeted thousands of recipients globally.

Researchers from multiple security firms have observed a surge in abuse of compromised AWS credentials to send fraudulent emails through SES. The scale of the attack is alarming, with some organizations receiving tens of thousands of phishing emails in a single day.

Expert Warning

"This is not a vulnerability in AWS itself, but rather a clever misuse of valid accounts," said Dr. Emily Tran, a senior threat analyst at CyberGuard Labs. "Attackers are obtaining legitimate access keys and session tokens, often through phishing or malware, and then using SES’s high deliverability to bypass traditional spam filters."

Another expert, Mark Rivera of SecureMail Now, noted: "The emails appear to come from trusted sources because they are sent through a trusted infrastructure. Enterprises need to treat every SES account as a potential vector."

Background

Amazon SES is a cloud-based email service designed for sending marketing and transactional emails at scale. Its low cost and high reliability make it an attractive target for cybercriminals. By compromising AWS root accounts or IAM users with SES permissions, attackers gain the ability to send unlimited emails without triggering typical email authentication checks.

The stolen credentials are often sourced from previous data breaches, dark web marketplaces, or through social engineering attacks on AWS users. In some cases, attackers have used automated tools to scan for exposed AWS access keys in public repositories on GitHub.

How the Attack Works

1. Credential Harvesting: Attackers obtain valid AWS access keys and secret keys through phishing campaigns, credential stuffing, or infostealer malware.
2. Account Validation: Automated scripts test the stolen credentials against AWS APIs to confirm SES is enabled and not rate-limited.
3. Phishing Launch: Using the compromised SES identities (verified domains or email addresses), attackers send phishing emails that mimic popular brands, banks, or internal company communications.

What This Means

Businesses relying on Amazon SES must enforce strict identity and access management (IAM) policies. Every developer, admin, and third-party integration with AWS credentials becomes a potential entry point for attackers.

Security leaders recommend enabling Multi-Factor Authentication (MFA) on all AWS accounts and rotating access keys regularly. Additionally, monitoring SES sending patterns and setting up administrative alerts for unusual spikes in email volume can help detect breaches sooner.

For organizations that do not directly use AWS, this campaign still poses a risk: spear-phishing emails sent through legitimate SES accounts often bypass security gateways. Employees should be reminded to scrutinize unexpected links and verify email senders through alternative channels.

Immediate Actions Recommended

• Audit all AWS IAM users and roles for unused or excessive SES permissions.
• Implement CloudTrail logs to track SES SendEmail and SendRawEmail API calls.
• Consider using Amazon SES feedback notifications to identify bounces and complaints that may indicate compromised sending.

As the investigation continues, the AWS Security Team has released guidance on detecting credential abuse. However, the onus remains on customers to protect their credentials.