7 Critical Facts About Phishing Attacks via Amazon SES
Learn how cybercriminals abuse Amazon SES for phishing, bypassing email security by exploiting trust in cloud infrastructure, leaked IAM keys, and redirects. Understand why blocking the service isn't viable and how to defend your organization.
Cybercriminals are constantly refining their methods to breach email security. While many focus on suspicious links or malicious attachments, a newer, more insidious technique involves abusing trusted cloud services like Amazon Simple Email Service (Amazon SES). These attacks exploit the very infrastructure that security systems and users trust, making them especially dangerous. Below, we break down seven essential facts to understand how these phishing campaigns operate and why they’re so effective.
1. Attackers Weaponize Trusted Cloud Infrastructure
Amazon SES is a legitimate email-sending service used by businesses worldwide for marketing and transactional emails. Attackers leverage this trust by sending phishing emails through Amazon’s own cloud. Unlike traditional phishing that uses shady domains, these emails originate from a reputable source—Amazon Web Services (AWS). The Message-ID header often includes .amazonses.com, making the email appear completely legitimate to both users and automated filters. This trust is the core of the attack; when recipients see an amazonaws.com link, they’re far more likely to click without suspicion.
2. Email Authentication Protocols Are Fully Bypassed
Standard email security checks like SPF, DKIM, and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are designed to block forgeries. However, when an email is sent through Amazon SES, it passes all these checks because the sending domain is authenticated by AWS. The email’s headers confirm that it came from a verified Amazon server. This means even the most vigilant providers (e.g., Gmail, Outlook, Office 365) will deliver the message straight to the inbox. From a technical standpoint, a phishing email sent via Amazon SES looks identical to a legitimate Amazon notification—making it nearly impossible to filter using traditional methods.
3. Phishing URLs Hide Behind Amazon’s Own Redirect Links
Attackers often use Amazon’s own URL shorteners or redirect services (like amazonaws.com links) to mask the final destination. A user sees a clickable link ending in .amazonaws.com and assumes it’s safe. However, behind that link lies a redirect chain that eventually leads to a phishing site designed to steal credentials or personal data. Because the initial URL is on Amazon’s trusted domain, security scanners may not flag it as malicious. This technique combines social engineering with technical camouflage, making it extremely effective for credential harvesting.
4. Attackers Gain Access Through Leaked IAM Keys
How do cybercriminals get Amazon SES access in the first? The most common method is via leaked AWS Identity and Access Management (IAM) access keys. Developers frequently accidentally expose these keys in public GitHub repositories, environment files (like .env),
5. Common Phishing Themes Mimic Major Services
Phishing emails sent via Amazon SES often impersonate well-known platforms. In early 2026, a prevalent theme was fake notifications from electronic signature services like DocuSign or Adobe Sign. Recipients receive an email claiming they have a document to sign, with a link that appears to point to the legitimate service (but actually leads to a phishing page). Other common themes include fake shipping notifications, account verification requests, or payment updates. Because the emails are crafted using Amazon’s custom HTML templates, they look visually identical to the real thing—logos, layouts, and even color schemes match perfectly.
6. Blocking Amazon SES Is Not a Viable Solution
When security teams realize these attacks are coming from Amazon SES, their first instinct might be to block all emails from that service. However, that’s impractical. Many legitimate organizations rely on Amazon SES for essential communications (e.g., order confirmations, password resets, marketing newsletters). Blocking the entire service would cause massive false positives, disrupting user workflows and frustrating customers. Moreover, the sender’s IP address is not blacklisted because it belongs to Amazon—a trusted provider. So attackers can keep using the same infrastructure without fear of IP-based bans. The only effective countermeasure is advanced threat detection that analyzes email content and behavior, not just headers.
7. Organizations Must Educate Users and Monitor for Leaks
To defend against Amazon SES phishing, companies need a two-pronged approach. First, educate users to treat any unsolicited email with suspicion—even if it appears to come from a trusted domain. Teach them to hover over links (not just look at the display text) and to verify the actual URL before clicking. Second, implement robust secrets management and monitoring to prevent exposure of IAM keys. Developers should use secret scanning tools to automatically detect key leaks in public and private repositories. Regularly rotate access keys and enforce least-privilege permissions for IAM users. Additionally, consider email security solutions that use machine learning to detect phishing patterns, regardless of the sending infrastructure.
In summary, phishing via Amazon SES is a growing threat that exploits trust in cloud infrastructure. By understanding how attackers operate—from leaking keys to bypassing email authentication—you can better protect your organization. Stay vigilant, keep secrets safe, and never assume an email is safe just because it comes from a respected service like AWS.