spf-dkim-dmarc-bypass - TrustStrike Labs

threat

2026-05-04

Attackers are using stolen Amazon keys to send convincing phishing emails directly from Amazon's email service - bypassing every spam filter

Kaspersky reported a sharp rise in phishing campaigns sent through Amazon's Simple Email Service (SES). Because the emails come from Amazon's own infrastructure, they pass SPF, DKIM, and DMARC checks that normally catch fake-brand emails - and reputation-based blocks don't trigger because Amazon's mail servers have legitimate reputation. The pattern starts with attackers harvesting AWS access keys leaked in public GitHub repos, .env files, Docker images, and S3 buckets, then using those keys to send phishing through SES from the victim's own AWS account. Wiz documented similar abuse in 2025 with attackers escalating from sandbox mode (200 emails/day) to production mode (50,000+/day) by issuing PutAccountDetails across all AWS regions in 10 seconds.

amazon-ses aws-keys leaked-credentials kaspersky wiz spf-dkim-dmarc-bypass reputation-abuse trufflehog cloud-abuse

Check: Open the SES console in every AWS region (not just your home region) and check sending statistics for unexpected volume. Search CloudTrail for ses:PutAccountDetails calls from unfamiliar IPs.
Affected: Any AWS account where IAM access keys could be exposed - public GitHub repos, .env files committed by mistake, Docker images that bundled credentials, or developer workstations. AWS accounts where SES has never been used legitimately are at acute risk because there's no baseline. Verified domain owners face inbox-reputation damage even if no breach happened on their systems.
Fix: Apply Service Control Policies that block ses:* actions in regions and accounts where SES isn't legitimately used. Replace static AWS access keys with IAM roles using short-lived credentials. Run TruffleHog or git-secrets across your repos to find leaked keys. Rotate any IAM keys older than 90 days. Configure CloudTrail alerts on SES API calls from unfamiliar IPs.

threat

2026-05-01

Vietnamese fraudsters used Google's no-code app platform to send Facebook phishing emails that passed every spam check, then sold the stolen accounts back to victims

Guardio documented a Vietnamese-linked fraud operation that has stolen roughly 30,000 Facebook business accounts by abusing Google's AppSheet no-code platform as a phishing relay. Because the phishing emails come from noreply@appsheet.com (a real Google address), they pass SPF, DKIM, and DMARC checks that normally catch fake-Meta emails. The lures impersonate Meta Support and threaten account deletion within 24 hours unless the user 'submits an appeal.' Stolen credentials, 2FA codes, and government ID photos are exfiltrated to Telegram. The operators then sell the stolen accounts back to victims through their own recovery service.

accountdumpling vietnam facebook appsheet google phishing spf-dkim-dmarc-bypass guardio social-engineering 2fa-bypass

Check: Brief every staff member who manages a Facebook business account that any email from 'noreply@appsheet.com' claiming to be Meta is hostile, regardless of how legitimate the formatting looks.
Affected: Facebook Business account owners worldwide, with 68.6% of victims based in the US. Acute risk for marketing teams, social media managers, and small business owners who manage Facebook ad accounts. Any organization using the same Facebook business account for paid ads since 2024 is in the broader target pool. Stolen accounts often hold credit card data and ad spend history.
Fix: Block emails from noreply@appsheet.com unless your organization legitimately uses Google AppSheet. Train staff that real Meta support never asks for 2FA codes via email. Enable Meta Business Manager 2FA with hardware keys (not SMS). For organizations already compromised, contact Meta Business Help directly through facebook.com - the 'recovery service' is the same operation that took the account.