Misryoum reports rising Amazon SES phishing abuse that can bypass security checks, driven by exposed AWS credentials.
A sharp rise in phishing campaigns is drawing attention to an unexpected weak spot: Amazon Simple Email Service (SES), a platform designed for legitimate email sending.
Misryoum reports that cybersecurity researchers have observed more phishing emails using Amazon SES in ways that can slip past common security filters. including reputation-based blocking.. The key issue is that SES is a trusted sending service. which can make malicious messages appear more legitimate during authentication and delivery.
That matters because phishing is increasingly not just about crafting convincing messages, but also about getting them delivered in the first place. When a trusted infrastructure layer is abused, defenders lose a powerful signal they rely on to flag suspicious traffic.
The suspected trigger behind the surge is credential exposure tied to Amazon Web Services environments.. Misryoum notes the abuse appears linked to AWS Identity and Access Management access keys ending up in public-facing locations such as GitHub repositories. .ENV files. Docker images. backups. and publicly accessible storage buckets.
In this context, automation plays a central role.. Once attackers find leaked keys. they can test what those keys can access and what email sending limits allow. then use that information to scale phishing delivery.. Misryoum also highlights that automated scanning tools can help locate secrets quickly, turning exposure events into operational campaigns.
The phishing quality described by Misryoum is not “low-effort” spam.. Attackers reportedly use custom HTML layouts and realistic login-style flows. which can improve the odds that victims will click and enter credentials.. The tactics also include fake document-signing notifications designed to imitate well-known services. and business email compromise style lures that rely on fabricated email threads.
Meanwhile, security gaps extend beyond SES alone. Misryoum reports that threat actors are continually searching for other legitimate email systems they can abuse, aiming to reduce reliance on any single delivery route.
This is exactly why Misryoum urges organizations to treat cloud email permissions as a security boundary.. Practical steps include applying least-privilege IAM permissions. enforcing multi-factor authentication. rotating keys regularly. and tightening access controls so email-sending capabilities cannot be used broadly if credentials are exposed.
At the end of the day, the operational takeaway is straightforward: legitimate services can be weaponized when their access pathways leak, so cloud hygiene and access governance are now part of email security, not separate from it.