- Attackers hijack exposed AWS credentials to send large-scale phishing emails via Amazon SES.
- Malicious messages bypass SPF, DKIM and DMARC checks and land directly in inboxes
- Researchers warn that this trend is growing, calling for stricter IAM and key management practices.
The Amazon Simple Email Service (SES) is being abused to launch a “massive volume” of phishing attacks that easily bypass current defenses and expose victims to the risk of credentials and identity theft.
Security researchers Kaspersky have sounded the alarm in a new report which notes: “Specifically, we have recently observed an increase in phishing attacks leveraging Amazon SES. »
Attackers start by stealing exposed AWS credentials. Using TruffleHog (or similar utilities), they scan publicly available GitHub repositories, .ENV files, Docker images, backups, and S3 buckets at scale, looking for login information for Amazon Web Services.
Article continues below
Pass all checks
Once found, they analyze permissions and email delivery capabilities: “After checking the key permissions and email sending limits, attackers are equipped to distribute a massive volume of phishing messages,” Kaspersky said.
The messages are carefully crafted, containing custom HTML templates that mimic legitimate services and very realistic login flows. Themes vary from fake DocuSign documents to Business Email Compromise (BEC) campaigns.
Being a legitimate service itself, Amazon SES allows attackers’ emails to erase authentication checks such as SPF, DKIM, and DMARC, thereby sending malicious messages directly to users’ inboxes. Additionally, IP blocking doesn’t work either, since it would block all emails from Amazon SES.
“Phishing via Amazon SES is moving from isolated incidents to a continuing trend,” Kaspersky warned. “By weaponizing this service, attackers avoid creating questionable domains and email infrastructure from scratch. Instead, they hijack existing access keys to gain the ability to distribute thousands of phishing emails.”
To mitigate risks, Kaspersky recommends users implement the principle of least privilege when configuring IAM access. They also recommend passing IAM access keys to roles when configuring AWS and enabling multi-factor authentication.
IP-based access restrictions must be configured, as well as automated key rotation. Finally, users should use AWS KKey Management Service to encrypt data and manage keys from a centralized location.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
