PHISHING campaigns and BEC attacks are increasingly delivered via Amazon SES, a cloud-based email platform that attackers misuse to bypass typical email security. According to Securelist, the technique relies on legitimate infrastructure, with emails passing SPF, DKIM and DMARC checks and often carrying .amazonses[.]com in Message‑ID headers, making them appear perfectly legitimate.
In many cases, attackers gain access to AWS IAM keys exposed in public code or storage, then use them to blast thousands of phishing messages; TruffleHog is among the tools reported for locating leaked credentials. Examples cited include fake notifications from electronic-signature services, where links lead to sign-in forms hosted on amazonaws[.]com and funnel data to the attackers.
Amazon SES is also used for sophisticated BEC campaigns, such as an invoice-related thread forged to appear as a genuine exchange between an employee and a vendor, with PDF attachments containing no malicious links. Takeaways emphasise securing AWS credentials, adopting least privilege, MFA, IP restrictions, key rotation and threat awareness to avoid being misled by legitimate-looking messages. 4 May 2026.