Amazon SES Phishing: How Attackers Exploit Trusted Infrastructure to Bypass Email Defenses

In the world of cybercrime, the best attack is the one that goes unnoticed. Attackers are increasingly turning to legitimate cloud services like Amazon Simple Email Service (SES) to launch phishing campaigns that slip past traditional email security. By abusing trusted infrastructure, they make malicious emails look perfectly authentic, often causing recipients to click dangerous links without a second thought. Below, we explore how these attacks work, why they are so effective, and what you can do to stay protected.

What is Amazon SES and why do attackers use it?

Amazon Simple Email Service (SES) is a cloud-based email platform provided by AWS, designed to send high-volume transactional and marketing emails reliably. It supports all major email authentication protocols—SPF, DKIM, and DMARC—so messages sent through SES always pass standard security checks. Attackers exploit this because every email from SES, even a phishing one, looks technically legitimate. The sender IP addresses are not on reputation blocklists, and the Message-ID headers contain the trusted .amazonses.com domain. This means that traditional email filters often fail to flag the malicious messages, giving them a free pass to the inbox.

How do attackers gain access to Amazon SES?

The most common method is by obtaining leaked AWS IAM (Identity and Access Management) access keys. Developers often inadvertently expose these keys in public repositories on GitHub, inside environment files, in Docker images, or even in publicly accessible S3 buckets. Attackers use automated tools like TruffleHog—an open-source utility designed to detect secrets in code—to scan for these exposed keys. Once they find a valid key, they check its permissions and email sending limits. If allowed, they can start sending massive volumes of phishing emails through the victim's legitimate SES account, making the messages nearly impossible to trace back to the attacker.

Why do legitimate IP addresses make these attacks so dangerous?

In a typical phishing attack, the sender’s IP address is often flagged by reputation-based blocklists. But with Amazon SES, the IP addresses belong to AWS, a cloud provider trusted by almost every email security system. Because these IPs are clean, the phishing emails never hit spam folders. Even if security teams notice the malicious activity, they cannot simply block all Amazon SES traffic without breaking critical communications—many organizations rely on SES for legitimate business emails. Blocking SES would cause massive false positives and disrupt workflows. Attackers exploit this dilemma, knowing that their emails will be delivered and difficult to block globally.

How do attackers mask malicious links in Amazon SES emails?

Attackers often use redirects to hide malicious URLs. For example, an email may contain a link pointing to a legitimate-looking amazonaws.com URL. When the user clicks, the link actually redirects to a phishing site designed to steal credentials. Because the initial domain is a real AWS domain, users feel safe clicking it. Additionally, Amazon SES allows custom HTML templates, which attackers use to craft highly convincing emails that mimic services like DocuSign, Dropbox, or even internal corporate notifications. These templates make the phishing message look exactly like a real notification, further tricking the recipient.

Can you give a real example of a phishing campaign using Amazon SES?

In early 2026, security researchers observed a surge in phishing emails impersonating electronic signature services, especially DocuSign. The emails looked identical to genuine DocuSign notifications, complete with branded logos and request-to-sign language. The technical headers clearly showed that the emails were sent via Amazon SES. The phishing link in the email, while initially pointing to an amazonses.com subdomain or an AWS URL, redirected to a fraudulent website that captured the victim's login credentials. Because the sending infrastructure was fully authenticated with SPF/DKIM/DMARC, and the IP was clean, most email filters passed the message straight to the user’s inbox. Many employees fell victim before the campaign was identified.

How can organizations protect themselves from Amazon SES phishing attacks?

There is no single silver bullet, but a multi-layered approach helps. First, security teams should educate employees to scrutinize any unexpected email requesting sensitive actions, even if it appears to come from a trusted sender. Second, enable advanced email security solutions that look beyond simple authentication and IP reputation—focus on behavioral analysis, URL reputation at click-time, and anomaly detection in email headers. Third, restrict the use of cloud email services by limiting incoming SES traffic to only known, approved senders when possible. Finally, regularly scan code repositories and cloud storage for leaked IAM keys, using tools like TruffleHog, to prevent attackers from gaining initial access to SES.

What is the future of phishing attacks using trusted cloud services?

As email security evolves, attackers will continue to seek out trusted infrastructure to hide behind. We are likely to see a rise in phishing campaigns leveraging other AWS services (like S3 for hosting phishing pages) or similar offerings from Google Cloud and Microsoft Azure. Attackers will also adopt more sophisticated social engineering techniques, such as using AI-generated content that perfectly mimics a specific sender’s writing style. The combination of legitimate sending platforms and increasingly convincing phishing will make detection harder. Organizations must invest in detection systems that analyze email content and user behavior, not just technical headers. Staying ahead requires constant vigilance and a willingness to question the trust we place in cloud providers.