Attackers are using stolen Amazon keys to send convincing phishing emails directly from Amazon's email service - bypassing every spam filter

Kaspersky reported a sharp rise in phishing campaigns sent through Amazon's Simple Email Service (SES). Because the emails come from Amazon's own infrastructure, they pass SPF, DKIM, and DMARC checks that normally catch fake-brand emails - and reputation-based blocks don't trigger because Amazon's mail servers have legitimate reputation. The pattern starts with attackers harvesting AWS access keys leaked in public GitHub repos, .env files, Docker images, and S3 buckets, then using those keys to send phishing through SES from the victim's own AWS account. Wiz documented similar abuse in 2025 with attackers escalating from sandbox mode (200 emails/day) to production mode (50,000+/day) by issuing PutAccountDetails across all AWS regions in 10 seconds.

Check

Open the SES console in every AWS region (not just your home region) and check sending statistics for unexpected volume. Search CloudTrail for ses:PutAccountDetails calls from unfamiliar IPs.

Affected

Any AWS account where IAM access keys could be exposed - public GitHub repos, .env files committed by mistake, Docker images that bundled credentials, or developer workstations. AWS accounts where SES has never been used legitimately are at acute risk because there's no baseline. Verified domain owners face inbox-reputation damage even if no breach happened on their systems.

Fix

Apply Service Control Policies that block ses:* actions in regions and accounts where SES isn't legitimately used. Replace static AWS access keys with IAM roles using short-lived credentials. Run TruffleHog or git-secrets across your repos to find leaked keys. Rotate any IAM keys older than 90 days. Configure CloudTrail alerts on SES API calls from unfamiliar IPs.