Kaspersky: Amazon SES Phishing Evades Email Security

Kaspersky researchers identified a surge in phishing campaigns leveraging Amazon Simple Email Service (SES). Attackers abuse the trusted infrastructure by sending emails via verified SES domains, making messages appear legitimate. The campaigns impersonate brands such as Microsoft 365 and Netflix, using authentic SPF, DKIM, and DMARC signatures.

Technical details: The actors first compromise an AWS account or obtain IAM credentials with SES permissions. They then create a dedicated SES 'mail from' domain and a verified sender identity. Using SES templating, they inject dynamic placeholders (e.g., recipient email, unique token) to generate per‑victim messages. The phishing URLs point to Amazon S3 static sites configured with open‑redirectors, leading to credential‑harvesting pages hosted under *.s3.amazonaws.com. The URLs often contain random sub‑paths to evade pattern matching.

The emails bypass standard security filters because they originate from Amazon’s high‑reputation IP ranges and pass all email‑authentication checks. The use of DKIM signatures that are signed by Amazon’s own keys further reduces the spam score. Moreover, the templating approach produces low‑volume, highly targeted campaigns, making heuristic detection based on volume thresholds ineffective. Kaspersky’s telemetry recorded a 27 % increase in SES‑originated phishing hits in Q1 2024 compared to the previous quarter.

To counter the threat, Kaspersky recommends strict IAM policies, enabling multi‑factor authentication (MFA) on all AWS accounts, and restricting SES sending to pre‑approved domains only. Deploying custom rules that flag unusual sending patterns—such as a sudden spike in mail from a newly verified SES identity—can help detect abuse. Organizations should also implement DMARC with a p=reject policy and augment gateway filters with sandbox analysis of URLs hosted on AWS S3. Ongoing monitoring via AWS CloudTrail and employing third‑party threat‑intelligence feeds that incorporate these IOCs will further harden defenses against SES‑based phishing.