A phishing campaign is becoming harder to spot because attackers are no longer relying on obviously suspicious domains. Instead, they are abusing Amazon Simple Email Service, or SES, so fraudulent messages can appear to come from a legitimate source.
That shift matters because email security tools often trust messages that pass through recognized cloud infrastructure. When the sender rides on a reputable service like Amazon SES, the message can look like ordinary business communication even when its purpose is to steal credentials or money.
Amazon SES is a cloud-based email service widely used by companies for transactional notifications, password resets, promotional messages, and account verification. Once attackers misuse that platform, phishing emails can borrow the appearance of official corporate mail and gain a better chance of reaching inboxes.
Kaspersky says the abuse typically starts with stolen AWS access credentials from a company or developer account. If an AWS Identity and Access Management, or IAM, key is exposed, attackers can send mail directly through Amazon’s official servers.
In many cases, the messages also carry the identity “amazonses.com.” That combination of a trusted domain and a legitimate IP address makes the traffic more likely to slip past spam filters and email security systems.
Stolen AWS credentials are often found in places that escape routine monitoring. Kaspersky points to public repositories, misconfigured cloud storage, and configuration files that were exposed by accident as common sources.
Once attackers gain control of that infrastructure, the campaign becomes more convincing. The emails can be sent at scale, and they can closely resemble normal business correspondence while hiding their true intent.
DocuSign lure used to capture logins
One campaign identified in early 2026 copied the style of digital signature services such as DocuSign. Recipients were told to review and sign an important document, a message designed to look professional and urgent.
After the link was opened, victims were sent to a fake login page hosted on AWS. The page was built to steal usernames and passwords while the legal-looking cloud setup reduced suspicion.
Attackers also used trusted redirect domains such as amazonaws.com to disguise the malicious link. From the victim’s point of view, the path looked safe enough to click.
Business email compromise is also being enabled
Kaspersky has also seen more Business Email Compromise, or BEC, attacks using hijacked Amazon SES accounts. In those cases, attackers pose as employees or business suppliers and send messages to finance teams.
The emails usually demand urgent payment and include a PDF attachment with new bank account details. Because these messages do not always contain a malicious link, they are often harder for security systems to flag.
That makes the scam effective inside organizations that already trust the apparent sender. The conversation looks like a routine business request, but the real goal is to divert funds to accounts controlled by the attacker.
Roman Dedenok, a Kaspersky anti-spam expert, said the misuse of trusted cloud services such as Amazon SES shows a new stage in phishing. He argued that the threat level rises when attackers can take over legitimate email delivery infrastructure directly.
He also noted that attackers have previously abused popular services such as Google Forms and Google Tasks to spread phishing links. The difference now is that control over a trusted email-sending platform makes the fraud feel far more authentic.
For companies, Kaspersky advises tighter AWS security controls, including limiting access permissions, enabling multi-factor authentication, rotating IAM keys regularly, and running security audits. These steps are meant to prevent official accounts from being used by unauthorized parties.
For everyday users, caution still matters even when an email appears to come from a trusted domain. Any request for login details, important documents, or urgent payment should be verified through a separate communication channel before action is taken.
Source: id.mashable.com






