Kaspersky has detected phishing and business email compromise (BEC) attacks that are leveraging Amazon Simple Email Service (SES) – a cloud-based email service designed for businesses and developers to send and receive high-volume marketing, notification, and transactional emails (for instance, password resets). Because these emails are sent via a trusted service, they originate from reputable IP addresses, frequently include legitimate “.amazonses.com” identifiers. This makes phishing messages nearly indistinguishable from legitimate correspondence at a technical level. Users should treat unexpected emails with extreme caution.
The attacks are driven by the theft and exposure of credentials from Amazon Web Services (AWS). The attackers are using leaked AWS Identity and Access Management Keys – often found in public repositories, misconfigured cloud storage, and exposed configuration files. With automated tools, threat actors can identify valid keys and abuse them to send large volumes of malicious emails through legitimate infrastructure operated by Amazon.
Attackers disguise malicious links behind trusted domains such as amazonaws.com using redirects and by creating highly convincing HTML email templates. In many cases, phishing pages are hosted on infrastructure that appears legitimate, further increasing the likelihood of credential theft from victims.
One of the campaigns observed by Kaspersky in early 2026 involved emails impersonating document-signing platforms like DocuSign. Victims were prompted to review and sign documents, only to be redirected to fraudulent login pages hosted on an Amazon Web Services page designed to capture credentials.
A phishing email imitating a notification from DocuSign.
Researchers also identified business email compromise attacks carried out via Amazon SES in which attackers impersonated employees and fabricated entire email threads with suppliers. These messages, often sent to finance departments, requested urgent payments and included PDF attachments containing only banking details – with no malicious links – making detection challenging.
An example of a business email compromise thread sent via Amazon SES.
“We’ve seen attackers abuse trusted platforms before – like in cases with Google Tasks and Google Forms - where scammers rely on built-in notification mechanisms to deliver phishing links from legitimate domains like @google.com, effectively bypassing email filters and exploiting user trust. However, the abuse of Amazon SES represents a more advanced stage of this trend: instead of merely leveraging a platform’s notification features, attackers compromise cloud credentials and gain direct control over a trusted email-sending infrastructure. This allows them to scale attacks, fully customise messages, and deliver phishing emails that are hard to distinguish from legitimate business communications,” commented Roman Dedenok, Anti-Spam Expert at Kaspersky.
To avoid becoming victim of such attack schemes, Kaspersky recommends:
- Organisations should secure access to AWS by minimising permissions, replacing static IAM keys with roles, enabling multi-factor authentication, restricting access (e.g., by IP), and regularly rotating and auditing credentials.
- Individual users should not trust emails based solely on the sender’s name or domain. Treat unexpected messages with caution, verify requests through a separate channel, and carefully inspect the links before following them, even if they appear to come from legitimate services.
