GoKawiilThe Amazon Simple Email Service (SES) is being increasingly abused to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective.
Although the resource has been leveraged for malicious activity in the past, the current spike may be due to a large number of AWS Identity and Access Management access keys exposed in public assets.
Because it is a legitimate, trusted resource, phishing operations can leverage Amazon SES to send out malicious emails that pass authentication checks.
Kaspersky researchers note in a report today that they've “observed an uptick in phishing attacks leveraging Amazon SES” to deliver links that redirect to a malicious site.
Headers on phishing email
Source: Kaspersky
The researchers believe the main driver of this abuse is the increasing exposure of AWS credentials in GitHub repositories, .ENV files, Docker images, backups, and publicly accessible S3 buckets.
Finding the access keys is typically done in an automated way using bots built on the open-source TruffleHog utility, which is designed to scan for leaked secrets.
Threat actors now rely on automated attacks that streamline secret scanning, permission validation, and email distribution, enabling unprecedented levels of abuse.
“After verifying the key’s permissions and email sending limits, attackers are equipped to spread a massive volume of phishing messages,” Kaspersky explains.
... continue reading