“Legitimate” phishing: how attackers weaponize Amazon SES to bypass email security
ID: bb3ecd94-a334-53d3-acca-4da6dfddf503
STIX ID: report--bb3ecd94-a334-53d3-acca-4da6dfddf503
Feed Name: Securelist by Kaspersky
The report describes an observed increase (January 2026 onward) in phishing and BEC campaigns abusing Amazon SES: attackers obtain leaked IAM keys, send authenticated emails that pass SPF/DKIM/DMARC and include .amazonses.com headers, and lure victims to credential-phishing or fraud pages hosted on amazonaws.com. These campaigns include convincing templates (e.g., fake e-signature notifications and forged invoice threads) designed to bypass email filters and extract credentials or authorize fraudulent payments; recommended mitigations include tightening IAM practices, enabling MFA, key rotation, IP restrictions, and user vigilance.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.