244/69 Wednesday, May 6, 2026
Researchers from Kaspersky have reported a significant rise in cyberattack campaigns where threat actors abuse Amazon Web Services Simple Email Service (SES), a legitimate and trusted email delivery platform, to distribute large-scale phishing emails targeting organizations. The primary cause is the exposure of AWS IAM Access Keys through public sources such as GitHub repositories, .env files, and exposed S3 buckets. Attackers use automated tools like TruffleHog to search for leaked credentials and hijack them to send malicious emails. Analysis of email headers clearly shows that these phishing emails are being delivered through legitimate Amazon infrastructure, allowing them to easily bypass standard authentication mechanisms including SPF, DKIM, and DMARC.
The tactics used by cybercriminals are highly sophisticated and primarily focus on Business Email Compromise (BEC). Attackers create convincing phishing emails and fake web pages that imitate trusted services such as DocuSign. Common lures include document-signing notifications, fake insurance summaries, and fraudulent W-9 tax forms, with some invoices demanding payments as high as $199,000 in an attempt to pressure finance departments into transferring funds. In addition, attackers manipulate email conversation history to make the communication appear as part of an ongoing and legitimate business exchange.
This threat presents a major challenge for cybersecurity teams because blocking malicious IP addresses is often ineffective, as doing so could also disrupt legitimate emails sent through Amazon SES. To mitigate the risk, experts recommend that organizations implement least-privilege access policies, enable multi-factor authentication (MFA), rotate access keys regularly, and restrict access by IP address and credential scope. Amazon has also advised customers to follow AWS security best practices strictly and report any suspected abuse of AWS resources directly to the AWS Trust & Safety team.