- Attackers are hijacking exposed AWS credentials to send large-scale phishing emails through Amazon SES
- Malicious messages bypass SPF, DKIM and DMARC checks and arrive directly in inboxes.
- Researchers warn that the trend is growing, urging stricter IAM and key management practices.
The Amazon Simple Email Service (SES) is being abused to launch a “massive volume” of phishing attacks that easily bypass current defenses and expose victims to risks of credential and identity theft.
Security researchers Kaspersky sounded the alarm in a new report that noted: “Specifically, we have recently observed an increase in phishing attacks leveraging Amazon SES.”
The attackers start by stealing the exposed AWS credentials. Using TruffleHog (or similar utilities), they scan GitHub repositories, .ENV files, Docker images, backups, and publicly accessible S3 buckets at scale, looking for login credentials for Amazon Web Services.
Article continues below.
Passing all the controls
Once found, they analyze the permissions and email distribution capabilities: “After verifying the key’s permissions and email sending limits, attackers are equipped to spread a massive volume of phishing messages,” Kaspersky said.
The messages are carefully crafted and contain custom HTML templates that mimic legitimate services and very realistic login flows. Topics vary, from fake DocuSign documents to business email compromise (BEC) campaigns.
As a legitimate service in itself, Amazon SES allows attackers’ emails to pass authentication checks such as SPF, DKIM, and DMARC protocols, sending malicious messages directly to people’s inboxes. Additionally, IP blocking also doesn’t work as it would ban all emails coming from Amazon SES.
“Phishing through Amazon SES is going from isolated incidents to an ongoing trend,” Kaspersky warned. “By weaponizing this service, attackers avoid the effort of creating dubious domains and email infrastructure from scratch. Instead, they hijack existing access keys to gain the ability to send thousands of phishing emails.”
To mitigate risks, Kaspersky recommends users implement the principle of least privilege when configuring IAM access. They also recommend transitioning IAM access keys to roles when configuring AWS and enabling multi-factor authentication.
IP-based access restrictions must be configured, as well as automated key rotation. Finally, users must use the AWS KEY Management Service to encrypt data and manage keys from a centralized location.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
