The Anatomy of an Amazon SES Phishing Campaign: A Step-by-Step Guide for Attackers

Introduction

Phishing attackers constantly seek methods to bypass email security and trick victims into revealing sensitive data. One increasingly popular technique exploits Amazon Simple Email Service (Amazon SES), a legitimate cloud-based email platform. By leveraging trusted infrastructure and authentication protocols, attackers can send phishing emails that appear completely legitimate. This guide breaks down how attackers weaponize Amazon SES, from obtaining access keys to launching massive campaigns that evade detection.

What You Need

• Leaked AWS IAM access keys (found in public GitHub repos, Docker images, ENV files, or S3 buckets)
• Automated secret scanning tools (e.g., TruffleHog) to discover leaked keys
• Access to Amazon SES via the AWS Management Console or CLI
• Custom HTML email templates for crafting convincing phishing messages
• Redirect link infrastructure (e.g., a legitimate-looking domain like amazonaws.com) to mask phishing URLs
• Knowledge of email authentication (SPF, DKIM, DMARC) to ensure delivery

Step-by-Step Guide

1. Step 1: Obtain Leaked AWS IAM Keys

   Attackers first hunt for exposed IAM access keys with SES permissions. These keys are often left in public repositories, configuration backups, or misconfigured S3 buckets. Use automated bots based on tools like TruffleHog to scan GitHub and other sources for key patterns. Once found, verify the keys are still active and have the necessary permissions for SES.

2. Step 2: Verify Permissions and Sending Limits

   After obtaining keys, check the associated IAM user’s policies to ensure they allow ses:SendEmail and ses:SendRawEmail actions. Also examine the SES account’s sending limits (e.g., maximum send rate per second, daily quota). High limits enable larger campaigns without throttling. Use the AWS CLI or SDK to test a single email.

3. Step 3: Configure Amazon SES for Sending

   Set up the SES environment: verify a domain or email address (or use pre-verified ones from compromised accounts), configure custom MAIL FROM domains, and enable DKIM signing. Attackers often use a domain that looks legitimate (e.g., a spoofed variant) but the SES infrastructure ensures SPF and DKIM pass. Even without a custom domain, emails sent via SES include .amazonses.com in Message-ID headers, which security systems trust.

4. Step 4: Craft a Convincing Phishing Email

   Create an HTML email that mimics a trusted brand—common themes include fake notifications from DocuSign, Amazon, or banking services. Use custom HTML templates allowed by SES to replicate branding, logos, and layout. Include a call-to-action button or link that appears legitimate but redirects to a phishing site. For example, a fake DocuSign email might request document signature review.

   

5. Step 5: Mask Phishing URLs with Redirects

   To avoid suspicion, attackers use redirect links that point to seemingly safe domains like amazonaws.com. The link in the email looks like a legitimate AWS URL, but after clicking, the user is redirected to an attacker-controlled phishing page. This bypasses URL reputation filters because the initial domain is trusted.

6. Step 6: Send the Phishing Campaign via SES API

   Using the stolen IAM keys, send emails programmatically via the SES API. Attackers can send thousands of emails per hour, depending on limits. The emails pass all standard authentication checks (SPF, DKIM, DMARC) because they originate from AWS infrastructure. The sender IP addresses are clean, not on blocklists, ensuring high deliverability.

7. Step 7: Collect Stolen Data

   When victims click the link and enter credentials or other sensitive data, the phishing site captures the information. Attackers then monetize or use the data for further attacks. The campaign can be stopped only by revoking the compromised IAM keys or blocking all SES traffic—an impractical measure for most organizations.

Tips for Success

• Use multiple domains: Rotate sender domains to avoid hitting rate limits or triggering pattern detection.
• Keep emails low-volume initially: Start with a small test batch to verify deliverability and avoid AWS abuse reports.
• Monitor key expiration: If keys expire, repeat Step 1 to find fresh leaks.
• Combine with social engineering: Personalize emails using leaked data (e.g., recipient name) to increase click-through rates.
• Layer redirects: Use multiple redirect hops (e.g., legitimate URL → short URL → phishing site) to further obscure the final destination.