Phishing Campaigns Leverage Amazon SES and Leaked AWS Keys to Evade Email Defenses
What Happened — Researchers at Kaspersky observed a sharp increase in phishing attacks that use Amazon Simple Email Service (SES) to send malicious messages. The attackers obtain exposed AWS IAM access keys from public repositories and use them to send authenticated, high‑fidelity phishing emails that bypass SPF/DKIM/DMARC checks.
Why It Matters for TPRM —
- Legitimate cloud‑email services can be weaponized, rendering reputation‑based blocks ineffective.
- Compromised third‑party email infrastructure can be used to launch BEC and credential‑harvesting campaigns against your organization’s partners and employees.
- Exposure of AWS credentials in supply‑chain assets (GitHub, Docker images, S3 buckets) highlights a systemic risk in vendor credential management.
Who Is Affected — SaaS providers, financial services, professional services, and any organization that relies on AWS‑hosted email or integrates with third‑party email senders.
Recommended Actions —
- Enforce least‑privilege IAM policies for all AWS keys and rotate them regularly.
- Enable MFA on all IAM users and service accounts.
- Apply IP‑allowlist restrictions on SES sending permissions.
- Deploy email security solutions that inspect content and URLs, not just sender reputation.
Technical Notes — Attack vector: stolen AWS IAM access keys scanned via automated tools (e.g., TruffleHog). Abuse leverages Amazon SES’s built‑in authentication (SPF, DKIM, DMARC) to make phishing emails appear legitimate. No new CVE; the issue is credential exposure and misuse of a trusted service. Source: BleepingComputer