Attackers Weaponize Amazon SES for Phishing Campaigns
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON (May 4, 2026) — Cybercriminals are exploiting compromised Amazon Web Services (AWS) Identity and Access Management (IAM) credentials to weaponize Amazon Simple Email Service (Amazon SES) for sophisticated phishing and business email compromise (BEC) campaigns. The attack vector leverages legitimate cloud infrastructure to bypass standard email security filters, allowing malicious messages to reach inboxes that would otherwise block them.
The campaign, detected globally on Tuesday, involves attackers gaining unauthorized access to AWS accounts and utilizing the associated IAM keys to send emails through Amazon SES. Because the emails originate from a trusted provider and pass standard authentication checks, including SPF and DKIM, they evade detection by many corporate firewalls and spam filters. This method enables threat actors to trick victims into revealing sensitive data or authorizing fraudulent fund transfers.
Amazon SES is a cloud-based email service used by organizations worldwide to send transactional and marketing emails. By hijacking this infrastructure, attackers are effectively using the service's reputation to lend credibility to their malicious communications. Security experts note that the use of legitimate infrastructure makes these attacks particularly difficult to distinguish from genuine correspondence.
The attacks target a broad range of industries, with financial institutions and corporate finance departments identified as primary targets for BEC attempts. The compromised IAM keys allow attackers to configure sending domains that appear authentic, further complicating efforts to identify the malicious activity. Unlike traditional phishing attempts that often originate from suspicious domains, these messages come from verified senders, reducing the likelihood of immediate flagging by recipients.
Amazon has not issued a public statement regarding the specific incidents, though the company regularly advises customers to secure their IAM credentials and monitor for unauthorized access. The technique highlights a growing trend in which cybercriminals seek to exploit trusted third-party services to circumvent security measures. As organizations increasingly rely on cloud-based email services, the potential for such abuse remains a significant concern.
The scope of the compromised accounts and the number of affected organizations remain unclear. Investigators are working to determine how the IAM keys were initially obtained and whether the attackers have established persistent access to the targeted AWS environments. Questions also remain regarding the financial impact of the campaigns and whether any funds have been successfully diverted.
Security professionals recommend that organizations audit their AWS configurations, rotate IAM keys regularly, and implement multi-factor authentication to prevent unauthorized access. The incident underscores the need for enhanced monitoring of cloud service usage and the importance of verifying the legitimacy of incoming emails, even when they appear to originate from trusted sources.