Executive Summary
In early 2026, cybercriminals exploited Amazon Simple Email Service (SES) to conduct sophisticated phishing and Business Email Compromise (BEC) attacks. By leveraging exposed AWS Identity and Access Management (IAM) access keys, attackers sent large volumes of phishing emails that passed standard authentication checks, such as SPF, DKIM, and DMARC. These emails often impersonated trusted services like DocuSign, leading recipients to malicious sites designed to harvest sensitive information. The abuse of Amazon's legitimate infrastructure allowed these phishing campaigns to evade traditional email security measures, resulting in significant data breaches and financial losses for targeted organizations.
This incident underscores a growing trend where attackers exploit trusted cloud services to enhance the credibility and effectiveness of their phishing campaigns. The increasing sophistication of such attacks highlights the urgent need for organizations to implement robust security measures, including strict IAM policies, regular key rotation, and comprehensive employee training to recognize and respond to phishing attempts.
Why This Matters Now
The exploitation of trusted cloud services like Amazon SES for phishing attacks represents a significant evolution in cybercriminal tactics, making it more challenging for traditional security measures to detect and prevent such threats. Organizations must urgently reassess and strengthen their security postures to address these sophisticated attack vectors.
Attack Path Analysis
Attackers obtained AWS IAM access keys through various means, such as scanning public repositories for exposed credentials. Using these keys, they accessed Amazon SES to send phishing emails that appeared legitimate, leveraging the trusted infrastructure to bypass email security measures. The phishing emails contained links to credential-harvesting sites, leading victims to disclose sensitive information. With the harvested credentials, attackers could access internal systems, potentially moving laterally within the network. They established command and control channels to maintain persistent access and exfiltrated sensitive data. The impact included unauthorized access to confidential information and potential financial loss due to fraudulent activities.
Kill Chain Progression
Initial Compromise
Description
Attackers obtained AWS IAM access keys through various means, such as scanning public repositories for exposed credentials.
MITRE ATT&CK® Techniques
Phishing: Spearphishing via Service
Impersonation
Web Service
Resource Hijacking: Cloud Service Hijacking
Phishing for Information: Spearphishing Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
High BEC risk through Amazon SES phishing targeting payment processes, with egress security gaps enabling data exfiltration and fraudulent transfers.
Banking/Mortgage
Critical exposure to sophisticated BEC campaigns mimicking vendor communications, exploiting trust in legitimate AWS infrastructure for financial fraud.
Computer Software/Engineering
Prime target due to exposed IAM keys in GitHub repositories and Docker images, enabling attackers to weaponize Amazon SES infrastructure.
Legal Services
Vulnerable to document signing phishing campaigns impersonating DocuSign via Amazon SES, compromising client confidentiality and financial transactions.
Sources
- “Legitimate” phishing: how attackers weaponize Amazon SES to bypass email securityhttps://securelist.com/amazon-ses-phishing-and-bec-attacks/119623/Verified
- Phishing and online scams on Amazonhttps://usa.kaspersky.com/blog/amazon-related-phishing-scam/23726/Verified
- Suspicious Email Reporting - Amazon Web Services (AWS)https://aws.amazon.com/security/report-suspicious-emails/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely constrain the attacker's ability to move laterally, establish command and control channels, and exfiltrate data, thereby reducing the overall blast radius of the breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF would likely limit unauthorized access by enforcing strict identity-based policies, reducing the risk of credential misuse.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely restrict unauthorized use of services like Amazon SES, limiting the attacker's ability to exploit trusted infrastructure.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely limit lateral movement by enforcing strict communication policies between workloads, reducing the attacker's ability to traverse the network.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely detect and limit unauthorized command and control channels, reducing the attacker's ability to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely limit unauthorized data exfiltration by controlling outbound traffic, reducing the risk of data loss.
The implementation of Aviatrix Zero Trust CNSF would likely reduce the overall impact by limiting the attacker's ability to access sensitive information and perform fraudulent activities.
Impact at a Glance
Affected Business Functions
- Email Communications
- Financial Transactions
- Customer Data Management
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive customer information and financial data due to phishing and BEC attacks.
Recommended Actions
Key Takeaways & Next Steps
- • Implement the principle of least privilege when configuring IAM access keys, granting elevated permissions only to users who require them for specific tasks.
- • Transition from IAM access keys to roles when configuring AWS; these are profiles with specific permissions that can be assigned to one or several users.
- • Enable multi-factor authentication, an ever-relevant step.
- • Configure IP-based access restrictions.
- • Set up automated key rotation and run regular security audits.
