Amazon SES Phishing Surge: Evading Standard Security Filters

Amazon Simple Email Service (SES), the cloud‑based email sending platform offered by Amazon Web Services, is increasingly being weaponized by threat actors to distribute phishing emails that slip past conventional security controls. According to telemetry gathered by security researchers, the volume of malicious messages relayed through SES rose sharply in recent months, as attackers capitalize on the service’s trusted reputation and the ease with which it can be provisioned using compromised AWS accounts.

The attack chain typically begins with the acquisition of valid AWS credentials or the exploitation of an organization’s IAM misconfiguration, allowing the adversary to create a new SES identity and verify a domain they control. Once verified, the actor configures a custom MAIL FROM domain and aligns SPF, DKIM, and DMARC records to appear as a legitimate sender. Because SES routes traffic through Amazon’s own IP ranges, many email security gateways treat the messages as whitelisted, effectively bypassing reputation‑based filters. The phishes often mimic high‑profile brands such as Microsoft, Google, and financial institutions, and they embed HTML‑based credential harvesters hosted on compromised web servers.

Analysis of recent campaigns reveals that the technique can boost delivery rates by up to 70 % compared with conventional phishing infrastructures, according to data from threat intelligence firm. The service’s support for high‑throughput sending—up to 70 emails per second per account—enables attackers to launch large‑scale credential harvesting operations with minimal infrastructural investment. Moreover, the use of SES’s dedicated IP pools and the ability to rotate sending addresses further complicate blacklist‑based detection.

To counter SES‑abuse, security teams should enforce strict DMARC policies (p=reject), regularly audit IAM roles for overly permissive actions, and enable AWS Config rules to detect unauthorized SES identities. Deploying advanced email security solutions that analyze message content, link reputation, and behavioral anomalies can also help identify phishing payloads that slip past authentication checks. Finally, monitoring SES sending logs for spikes in volume, unusual recipient lists, or mismatched envelope‑from addresses will enable rapid containment of compromised accounts.