Threat actors are increasingly abusing Amazon Simple Email Service (SES) to execute large-scale phishing and Business Email Compromise (BEC) attacks, exploiting stolen or leaked AWS IAM credentials to send tens of thousands of fraudulent emails daily while evading every standard security check.
Amazon Simple Email Service (SES) is a cloud-based, high-deliverability email platform tightly integrated within the AWS ecosystem and trusted by enterprises worldwide for legitimate transactional and marketing communications. That trust is exactly what makes it so dangerous in the hands of attackers.
Unlike traditional phishing infrastructure built on suspicious throwaway domains, emails sent through Amazon SES automatically carry SPF, DKIM, and DMARC authentication stamps, making them nearly indistinguishable from legitimate correspondence to both users and automated security filters.
Hackers Abuse Amazon SES
Because the sending IP addresses are owned by Amazon, they are rarely flagged by reputation-based blocklists. Blocking them outright would create an enormous volume of false positives for enterprises relying on AWS services daily.
Phishing URLs delivered via SES can be masked with redirect chains, so a target sees a clean amazonaws.com link in their inbox and clicks with full confidence, only to land on a credential-harvesting page.
Amazon SES also enables custom HTML email templates, which attackers exploit to craft near-perfect impersonations of trusted brands such as DocuSign, financial institutions, and internal HR platforms.
The exploitation chain typically begins long before any phishing email is sent. In most incidents, attackers gain unauthorized access to Amazon SES through leaked AWS IAM (Identity and Access Management) access keys.
Developers routinely expose these long-lived credentials in public GitHub repositories, .env files, Docker images, CI/CD pipeline configurations, exposed S3 buckets, and application backups.
To harvest these keys at scale, threat actors have increasingly weaponized TruffleHog, an open-source secret-scanning tool that detects and verifies live credentials across code repositories and cloud assets.
TruffleHog supports over 800 credential detector types and can authenticate discovered keys in real time by invoking sts:GetCallerIdentity confirming whether a stolen key is still active before using it.
The Qualys-documented “Crimson Collective” threat group and other adversaries follow a repeatable attack sequence: discover credentials, validate them via native AWS APIs, enumerate permissions, and then launch email abuse at scale.
The TruffleNet campaign, uncovered by Wiz Research in 2025, showcased how attackers built a dedicated infrastructure around TruffleHog to automate the validation of compromised credentials across hundreds of AWS environments simultaneously, then pivoted directly into SES-powered BEC fraud.
In one documented instance, the campaign targeted the oil and gas sector with fake ZoomInfo invoices demanding $50,000 ACH payments routed to typosquatted attacker-controlled domains.
One of the most persistent threat actors in this space is JavaGhost (tracked by Palo Alto Networks Unit 42 as TGR-UNK-0011). This group originally focused on website defacement before pivoting to cloud-based phishing operations between 2022 and 2024.
JavaGhost exploits overly permissive IAM configurations in victim AWS environments, using exposed long-term access keys to gain initial access, generate temporary credentials, and then configure SES email identities with custom DKIM settings to weaponize the victim’s own trusted infrastructure.
Critically, JavaGhost does not pay for any of this infrastructure; it uses the compromised organization’s existing SES setup, pushing all costs and reputational damage onto the victim.
In early 2026, the dominant phishing lure distributed via Amazon SES was fake electronic signature notifications, particularly DocuSign spoofing.
Victims receive a professionally formatted email with legitimate-looking headers that prompt them to click a link and review a pending document. That link redirects to a phishing sign-in form hosted on an amazonaws.com subdomain providing another layer of false legitimacy that bypasses user suspicion entirely.
Beyond credential phishing, attackers have escalated to sophisticated BEC campaigns using Amazon SES. In one investigated case, a fraudulent email arrived appearing to contain a multi-message thread between an employee and a vendor discussing an outstanding invoice, said Securelist.
The attacker impersonated the employee, forwarded a fabricated conversation to the finance department, and attached forged payment documents requesting urgent wire transfer of funds. No malicious URLs or QR codes were embedded; the entire attack relied on social engineering and the authority of a seemingly legitimate email thread.
Mitigation
Since these attacks originate from compromised AWS credentials, securing IAM access keys is the highest-priority defensive step.
A May 2025 investigation by Wiz Research confirmed that attackers sent over 50,000 phishing emails per day from a single compromised SES environment, bypassing sandbox sending limits by making simultaneous multi-region API requests. Recommended mitigations include:
- Enforce least-privilege IAM policies, and only grant SES sending permissions to roles that explicitly require them
- Replace long-lived IAM access keys with IAM roles, which are scoped, temporary, and auditable
- Enable MFA on all AWS accounts with elevated privileges
- Configure IP-based access restrictions on IAM policies to limit key usage to known environments
- Automate key rotation and run continuous security audits using AWS IAM Access Analyzer
- Use AWS KMS to manage cryptographic keys and enforce encryption across services centrally
- Monitor CloudTrail logs for anomalous SES API calls particularly
PutAccountDetailsrequests across multiple regions, which is a known sandbox escape technique
For end users, always verify unexpected document-signing requests via a secondary communication channel. Inspect all hyperlinks before clicking, even when the domain appears to be amazonaws.com.
Robust enterprise email security solutions provide an essential detection layer that can identify anomalous sending patterns and suspicious redirect chains that pass SPF/DKIM checks.
FAQ
Q1: How do attackers bypass email authentication when abusing Amazon SES?
Since Amazon SES natively passes SPF, DKIM, and DMARC checks for all outgoing emails, phishing messages sent through compromised SES accounts appear fully authenticated to receiving mail servers.
Q2: What is TruffleHog, and how is it being misused in phishing campaigns?
TruffleHog is a legitimate open-source tool designed to detect leaked credentials; attackers have repurposed it to scan public repositories for live AWS IAM keys, validate them, and use them to launch SES phishing operations.
Q3: What sectors are most targeted by Amazon SES-based BEC fraud?
Financial services, oil and gas, and organizations with high-value accounts payable workflows have been primary targets, with fraudsters using fake invoices to redirect wire transfers to attacker-controlled accounts.
Q4: How can organizations detect Amazon SES abuse from their own AWS accounts?
Monitor AWS CloudTrail for unexpected SES:SendEmail, CreateEmailIdentity, and multi-region PutAccountDetails API calls are a key indicator of compromised credentials in SES environments.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
