What measures can organizations take to prevent such attacks?

Organizations should enforce least-privilege IAM policies, enable multi-factor authentication, regularly rotate access keys, and apply IP-based access restrictions to secure their AWS credentials.

Rising Threat: Amazon SES Phishing Abuse in 2026

Cybercriminals are increasingly exploiting Amazon SES to conduct sophisticated phishing attacks, emphasizing the need for enhanced security measures.

Published: May 5, 2026

Share this on:

Executive Summary

In May 2026, cybersecurity researchers identified a significant increase in phishing campaigns exploiting Amazon Simple Email Service (SES). Attackers leveraged exposed AWS Identity and Access Management (IAM) access keys, often found in public GitHub repositories, .ENV files, Docker images, and publicly accessible S3 buckets, to send convincing phishing emails that bypass standard security filters. These emails, appearing to originate from trusted sources, included fake document-signing notifications and sophisticated business email compromise (BEC) attacks, leading to unauthorized access and financial losses.

This trend underscores the critical need for organizations to implement stringent security measures, such as enforcing least-privilege IAM policies, enabling multi-factor authentication, regularly rotating access keys, and applying IP-based access restrictions. The rise in such attacks highlights the evolving tactics of cybercriminals and the importance of proactive defense strategies to protect sensitive information and maintain trust.

Why This Matters Now

The surge in Amazon SES abuse for phishing campaigns in 2026 highlights the urgent need for organizations to secure their AWS credentials and implement robust email security measures to prevent sophisticated attacks that can bypass traditional filters.

Attack Path Analysis

Attackers exploited exposed AWS IAM access keys to gain unauthorized access to Amazon SES, enabling them to send phishing emails that bypass standard security filters. With these credentials, they escalated privileges to configure SES for mass email distribution. They then moved laterally within the AWS environment to identify and exploit additional resources. The attackers established command and control by embedding malicious links in emails, directing victims to phishing sites. They exfiltrated sensitive information by harvesting credentials entered on these sites. Finally, the impact included unauthorized access to user accounts and potential financial loss.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Medium

Command & Control

High

Exfiltration

High

Impact

Medium

Initial Compromise

Description

Attackers obtained exposed AWS IAM access keys from public repositories, enabling unauthorized access to Amazon SES.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1078

Valid Accounts

Initial Access

T1566.002

Spearphishing Link

Resource Development

T1583.001

Acquire Infrastructure: Domains

Resource Development

T1583.003

Acquire Infrastructure: Virtual Private Server

Resource Development

T1583.004

Acquire Infrastructure: Server

Resource Development

T1583.006

Acquire Infrastructure: Web Services

Resource Development

T1584.002

Compromise Infrastructure: Domains

Resource Development

T1584.003

Compromise Infrastructure: Virtual Private Server

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Secure Software Development

Control ID: 6.4.3

The exposure of AWS credentials in public repositories indicates a failure to implement secure software development practices, potentially leading to unauthorized access and data breaches.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident highlights the need for comprehensive cybersecurity policies that address the protection of access credentials and the monitoring of third-party services to prevent unauthorized use.

DORA – ICT Risk Management Framework

Control ID: Article 5

The abuse of Amazon SES for phishing attacks underscores the importance of robust ICT risk management frameworks to identify and mitigate risks associated with third-party services.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

The compromise of AWS credentials and subsequent misuse of Amazon SES for phishing campaigns demonstrate the necessity for stringent identity and access management controls to prevent unauthorized access.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident illustrates the need for organizations to implement effective cybersecurity risk management measures to protect against the abuse of legitimate services for malicious purposes.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

High BEC attack risk through Amazon SES abuse targeting finance departments with fabricated invoices, requiring enhanced email authentication and egress security controls.

Banking/Mortgage

Critical exposure to sophisticated phishing campaigns leveraging trusted AWS infrastructure to bypass traditional security filters and compromise customer credential authentication systems.

Computer Software/Engineering

Primary attack vector through exposed AWS credentials in GitHub repositories and Docker images, enabling automated phishing distribution via legitimate Amazon SES infrastructure.

Information Technology/IT

Elevated threat from credential exposure in public repositories and S3 buckets, necessitating zero trust segmentation and multicloud visibility for comprehensive protection.

Sources

Amazon SES increasingly abused in phishing to evade detectionhttps://www.bleepingcomputer.com/news/security/amazon-ses-increasingly-abused-in-phishing-to-evade-detection/
Verified

Phishing campaigns and BEC attacks through Amazon SEShttps://securelist.com/amazon-ses-phishing-and-bec-attacks/119623/

Verified

Report Suspicious Emailshttps://aws.amazon.com/security/report-suspicious-emails/

Verified

Frequently Asked Questions

Attackers use exposed AWS IAM access keys to send phishing emails through Amazon SES, allowing them to bypass standard security filters and appear as legitimate communications.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware controls.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The unauthorized access to Amazon SES could have been constrained, potentially limiting the attacker's ability to exploit the service.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Privilege escalation attempts could have been limited, potentially reducing the attacker's ability to configure SES for malicious purposes.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Lateral movement within the AWS environment could have been constrained, potentially reducing the attacker's ability to exploit additional resources.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The establishment of command and control channels could have been limited, potentially reducing the effectiveness of phishing campaigns.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Data exfiltration attempts could have been constrained, potentially reducing the amount of sensitive information leaked.

Impact (Mitigations)

The overall impact of unauthorized access and financial loss could have been reduced, potentially limiting the attacker's success.

Impact at a Glance

Affected Business Functions

Email Communication
Financial Transactions
Customer Relationship Management

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Potential exposure of sensitive information through phishing attacks, including credentials and financial data.

Recommended Actions

• Implement least-privilege IAM policies to restrict access to essential services.
• Enable multi-factor authentication (MFA) for all IAM users to enhance security.
• Regularly rotate IAM access keys and monitor for unauthorized usage.
• Apply IP-based access restrictions to limit access to trusted networks.
• Utilize encryption controls to protect sensitive data in transit and at rest.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Rising Threat: Amazon SES Phishing Abuse in 2026

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Valid Accounts

Spearphishing Link

Acquire Infrastructure: Domains

Acquire Infrastructure: Virtual Private Server

Acquire Infrastructure: Server

Acquire Infrastructure: Web Services

Compromise Infrastructure: Domains

Compromise Infrastructure: Virtual Private Server

Potential Compliance Exposure

PCI DSS 4.0 – Secure Software Development

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Financial Services

Banking/Mortgage

Computer Software/Engineering

Information Technology/IT

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads