- Attackers hijack exposed AWS credentials to send large phishing emails via Amazon SES
- Malicious messages bypass SPF, DKIM and DMARC checks and land directly in inboxes
- Researchers warn that the trend is growing and call for stricter IAM practices and key management
Amazon Simple Email Service (SES) is being abused to launch a “massive volume” of phishing attacks that easily bypass current defenses and expose victims to credential and identity theft risks.
Security researchers Kaspersky sounded the alarm in a new report, which noted, “In particular, we have recently observed an increase in phishing attacks that exploit Amazon SES.”
The attackers start by stealing exposed AWS credentials. Using TruffleHog (or similar utilities), they scan GitHub repositories, .ENV files, Docker images, backups, and publicly available S3 buckets at scale, looking for Amazon Web Services login credentials.
The article continues below
Pass all checks
Once found, they analyze permissions and email distribution capabilities: “After verifying the key’s permissions and email sending limits, attackers are equipped to spread a massive amount of phishing messages,” Kaspersky said.
The messages are carefully crafted and include custom HTML templates that mimic legitimate services and highly realistic login flows. The themes vary, from fake DocuSign documents to Business Email Compromise (BEC) campaigns.
Since Amazon SES itself is a legitimate service, it allows the attackers’ emails to clear authentication checks such as SPF, DKIM and DMARC protocols, landing the malicious messages directly in people’s inboxes. Also, blocking by IP doesn’t work either, as it would ban all emails coming from Amazon SES.
“Phishing via Amazon SES is changing from isolated incidents to a stable trend,” Kaspersky warned. “By weaponizing this service, attackers avoid the hassle of building questionable domains and mail infrastructure from scratch. Instead, they hijack existing access keys to gain the ability to blast out thousands of phishing emails.”
To mitigate the risks, Kaspersky recommends users implement the principle of least privilege when configuring IAM access. They also recommend switching from IAM keys to roles when configuring AWS and enabling multi-factor authentication.
IP-based access restrictions should be configured, as well as automatic key rotation. Finally, users must use the AWS KEy Management Service to encrypt data and manage keys from a central location.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
