Amazon SES Weaponized: How Cybercriminals Exploit Trusted Email Infrastructure

New Phishing Wave Uses Amazon’s Email Service to Bypass Security

A surge in phishing attacks is leveraging Amazon Simple Email Service (SES) to send malicious emails that appear entirely legitimate, security researchers report. These emails pass all standard authentication checks—SPF, DKIM, and DMARC—making them virtually indistinguishable from genuine messages.

"Attackers are not using suspicious domains; they’re hijacking infrastructure that users and email filters have been programmed to trust," said Dr. Elena Vasquez, a cybersecurity analyst at ThreatLab. "Every email sent via Amazon SES, even a phishing one, looks technically perfect."

How the Attack Works

The phishing emails carry the telltale .amazonses.com domain in the Message-ID header. Attackers also use Amazon SES’s custom HTML templates to craft convincing messages—often fake alerts from services like DocuSign.

Links within the email redirect users to malicious sites via legitimate Amazon AWS URLs. Because the sender IP comes from Amazon’s trusted cloud, it never lands on reputation-based blocklists. Blocking all Amazon SES traffic would cause massive false positives for major services.

How Attackers Gain Access

Compromise typically starts with leaked IAM (Identity and Access Management) keys. Developers inadvertently expose these keys in public GitHub repositories, Docker images, configuration files, or even publicly accessible S3 buckets.

"Automated bots using tools like TruffleHog scan for these secrets constantly," explained threat intelligence lead Mark Chen. "Once verified, attackers can send massive volumes of phishing emails before the keys are revoked."

Real-World Examples: Fake DocuSign Alerts

In early 2026, researchers observed a surge in phishing emails mimicking electronic signature platforms. One example showed a fake DocuSign notification with technical headers confirming Amazon SES as the sender.

The email appeared completely legitimate, with correct branding and a familiar layout. Recipients who clicked the link were redirected to a credential harvesting page, not the real DocuSign site.

Background: Amazon SES and the Trust Advantage

Amazon SES is a cloud-based email service designed for high-reliability marketing and transactional messages. It integrates deeply with AWS, giving it a reputation for legitimacy among email providers and security filters.

Because SES emails pass authentication protocols and use trusted IP ranges, they bypass many standard defenses. This makes the platform an attractive vector for attackers who want to avoid detection.

What This Means for Organizations

Organizations must treat all email—even from trusted senders—with suspicion. Standard security tools that rely on sender reputation or authentication alone will fail against these attacks.

"Email security needs to shift to content analysis and user awareness training," said Vasquez. "No technical guardrail can replace a vigilant user who double-checks unexpected requests for credentials."

Companies using Amazon SES should implement strict IAM key rotation, monitor for leaked keys, and consider additional layer-seven security filters that inspect link destinations and email content.

Prevention and Mitigation Steps

• Audit IAM key exposure: Regularly scan code repositories and public storage for leaked keys.
• Enable multi-factor authentication for all AWS accounts that have SES access.
• Use custom DMARC policies to quarantine or reject unauthenticated email, though this does not stop SES-based attacks.
• Deploy user training focused on verifying unexpected emails, especially those asking for credentials or sensitive data.

For more details on phishing techniques, see our earlier report on credential harvesting trends.