Amazon SES Phishing Abuse: Evading Security Filters via AWS Infrastructure
- [01] Immediate impact: Organizations face highly convincing phishing attacks that bypass traditional reputation-based security filters by using legitimate Amazon AWS infrastructure.
- [02] Affected systems: Any organization receiving external email is at risk, especially those relying on standard domain reputation for automated filtering.
- [03] Remediation: Defenders must implement advanced email analysis tools that examine message headers and content intent rather than relying solely on domain legitimacy.
Summary of Amazon SES Abuse in Phishing
Recent intelligence indicates that threat actors are shifting toward legitimate cloud infrastructure to increase the success rate of their Phishing campaigns. According to BleepingComputer, there has been a notable surge in the abuse of Amazon Simple Email Service (SES). By utilizing this platform, attackers can send malicious emails from trusted IP addresses and domains associated with Amazon Web Services (AWS), effectively neutralizing many automated security controls that rely on domain reputation.
Technical Analysis: Leveraging Trusted Infrastructure
Amazon SES is a scalable, cloud-based bulk email service used by developers and businesses for marketing and transactional mail. Attackers exploit this by creating AWS accounts—often using stolen credit cards or compromised accounts—to send fraudulent communications. Because the emails originate from legitimate AWS servers, they often carry valid SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) signatures.
Bypassing Reputation-Based Filters
Most secure email gateways and SOC analysts utilize reputation scores to flag or block incoming mail. When a campaign originates from a newly registered or low-reputation domain, it is easily intercepted. However, when an email is sent via SES, it typically carries a sender address ending in amazonses.com. Since Amazon’s infrastructure is globally trusted, these emails are frequently whitelisted or given a high-reputation score by default. This technique allows attackers to land malicious links directly in a user’s inbox, bypassing the first line of defense.
Header Manipulation and Deception
The primary goal of these campaigns is often credential harvesting or the delivery of Malware. Attackers use sophisticated templates that mimic Microsoft 365, DocuSign, or internal HR notifications. While the technical sender is Amazon SES, the “From” display name is spoofed to look like a legitimate entity. Organizations that do not have SIEM rules in place to inspect discrepancies between the envelope sender and the visible display name are particularly vulnerable.
How to Detect Amazon SES Phishing Campaigns
Identifying these threats requires moving beyond simple domain blacklisting. Security teams must learn how to detect Amazon SES phishing campaigns by focusing on behavioral anomalies. One effective IoC is the mismatch between the SES-provided sender domain and the organizational branding used in the email body.
Advanced detection logic should involve searching for high-frequency emails from amazonses.com that contain keywords like “Password Reset,” “Urgent Action,” or “Payment Invoice” but do not align with known legitimate vendor patterns. Furthermore, defenders can map these activities to the MITRE ATT&CK framework, specifically under T1566 (Phishing), to better understand the adversary’s entry vector.
Recommendations and Mitigating Amazon SES Abuse
To counter this trend, organizations should update their Amazon Simple Email Service security best practices to include stricter inspection of cloud-hosted email services. Relying on reputation alone is no longer sufficient in an era where infrastructure-as-a-service is commoditized for malicious use.
Actionable Mitigations
- Header Analysis: Implement email security rules that flag external mail originating from Amazon SES if the display name matches internal executives or known partners.
- Zero Trust Architecture: Adopt Zero Trust principles for email by assuming all external links are potentially malicious, regardless of the sender’s domain reputation.
- User Training: Educate staff to look for the underlying email address behind the display name. If a “Microsoft Support” email originates from an
@amazonses.comaddress, it should be treated as suspicious. - DMARC Enforcement: While SES handles SPF/DKIM, organizations should ensure their own DMARC policies are set to ‘reject’ to prevent direct spoofing of their own domains, forcing attackers to use the more detectable SES domains.
By focusing on mitigating Amazon SES abuse through a combination of content inspection and behavioral analysis, organizations can reduce the risk posed by adversaries who exploit the inherent trust of major cloud providers.
Advertisement