https://securelist.com/amazon-ses-phishing-and-bec-attacks/119623
Security researchers have uncovered a new phishing campaign exploiting Amazon Simple Email Service (SES), Amazon’s legitimate cloud-based email platform, to send malicious emails that bypass traditional security filters. By leveraging Amazon’s trusted infrastructure, threat actors are able to send phishing messages that appear to originate from a reputable and well-established source, making it significantly harder for both automated email security tools and end users to identify and flag the communications as malicious. The abuse of trusted cloud services for phishing purposes represents a growing and increasingly effective tactic among cybercriminals seeking to evade detection.
The campaign takes advantage of the inherent trust that email security systems place in major cloud providers like Amazon, whose IP addresses and domains are typically allowlisted or given favourable treatment by spam filters and secure email gateways. By routing phishing emails through Amazon SES, attackers effectively inherit the platform’s strong sender reputation, allowing their malicious messages to land in victims’ inboxes rather than being quarantined or blocked. This technique highlights a broader trend of threat actors weaponising legitimate cloud services — including those from Microsoft, Google, and now Amazon — as a means of adding credibility to their attacks and circumventing perimeter defences.
Organisations need to move beyond reputation-based email filtering and adopt more behaviour-driven and content-aware detection capabilities that can identify phishing attempts regardless of the legitimacy of the sending infrastructure. Defenders should implement robust email authentication protocols such as DMARC, DKIM, and SPF, and to ensure employees receive up-to-date security awareness training on recognising phishing attempts that may appear to come from trusted sources. Amazon has been notified of the abuse and is expected to take measures to detect and prevent misuse of the SES platform for malicious purposes.