Full Report
Cybersecurity firm Kaspersky reports that the Amazon Simple Email Service (SES) is being increasingly abused to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective. [...]
Analysis Summary
# Tool/Technique: Amazon SES Abuse for Phishing
## Overview
Threat actors are increasingly exploiting the Amazon Simple Email Service (SES) to distribute high-quality phishing and Business Email Compromise (BEC) messages. By leveraging legitimate AWS infrastructure, attackers ensure their emails pass critical authentication checks (SPF, DKIM, DMARC), thereby bypassing traditional reputation-based security filters and making IP-based blocking unfeasible for defenders.
## Technical Details
- **Type**: Technique (Service Abuse) / Attack Framework (Automated Credential Harvesting)
- **Platform**: Cloud (AWS), Cross-platform (Email)
- **Capabilities**: High-volume email distribution, automated credential validation, bypass of email authentication protocols (SPF/DKIM/DMARC).
- **First Seen**: Historically observed; current spike reported May 2024.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- [T1566.003 - Phishing: Spearphishing Attachment]
- **[TA0006 - Credential Access]**
- [T1552.001 - Unsecured Credentials: Forgein File Secret Search]
- **[TA0042 - Resource Development]**
- [T1585.002 - Establish Accounts: Email Accounts]
## Functionality
### Core Capabilities
- **Authentication Bypass**: Emails sent via SES are cryptographically signed by Amazon, allowing them to bypass filters that check for SPF, DKIM, and DMARC alignment.
- **Reputation Leveraging**: Exploits the high sender reputation of Amazon’s IP ranges to avoid "Junk" or "Spam" folders.
- **Automated Discovery**: Attackers use botnets to scan public assets (GitHub, Docker images, S3 buckets, .ENV files) for leaked AWS IAM access keys.
### Advanced Features
- **BEC Thread Hijacking**: Fabrication of entire email threads to provide false context for fraudulent invoices.
- **Legitimate Hosting**: Links within the emails often lead to phishing pages also hosted on AWS (e.g., S3 or EC2), further increasing the perceived legitimacy.
- **Permission Validation**: Automated scripts (often utilizing TruffleHog) verify the specific permissions and sending limits of stolen keys before deploying campaigns.
## Indicators of Compromise
*Note: Because this technique uses legitimate infrastructure, Indicators are often campaign-specific rather than service-wide.*
- **Network Indicators (Defanged)**:
- `amazonses[.]com` (Legitimate domain used for headers)
- `s3[.]amazonaws[.]com` (Used for hosting phishing landing pages)
- **Behavioral Indicators**:
- Spikes in email volume originating from internal IAM users not traditionally associated with marketing or notifications.
- Creation of new SES "Identities" or verified domains/emails within an AWS account.
- API calls to `ses:SendEmail` or `ses:SendRawEmail` from unusual IP addresses or at unusual times.
## Associated Threat Actors
- **General Cybercriminals**: Large-scale phishing operations.
- **BEC Groups**: Targeted actors focusing on finance departments via invoice fraud.
- **Note**: Specific named groups were not identified in the report, though the activity is widespread.
## Detection Methods
- **Signature-based detection**: While difficult for the email itself, security tools can scan for exposed AWS keys (regex for `AKIA...`) in public repositories and internal logs.
- **Behavioral detection**:
- Monitoring for anomalous AWS API activity via CloudTrail (e.g., `GetSendQuota`, `VerifyEmailIdentity`).
- Analysis of "Reply-To" headers that mismatch the "From" header (common in SES-based BEC).
- **Tooling**: Use of **TruffleHog** or **git-secrets** to detect leaked credentials before attackers do.
## Mitigation Strategies
- **Least Privilege**: Restrict IAM permissions; ensure that only necessary users have `ses:SendEmail` rights.
- **Credential Hygiene**: Implement regular rotation of AWS Access Keys and delete unused credentials.
- **Multi-Factor Authentication (MFA)**: Enforce MFA for all IAM users accessing the AWS Console.
- **Infrastructure Lock-down**: Apply IP-based access policies (Condition keys in IAM) to restrict from where SES API calls can be made.
- **Secret Scanning**: Implement automated scanning of CI/CD pipelines and public repositories to prevent credential leakage.
## Related Tools/Techniques
- **TruffleHog**: Open-source secret scanning tool used by both defenders and attackers.
- **SaaS Phishing**: Similar abuse seen in Microsoft 365 and Google Workspace to leverage "known-good" sender reputations.
- **Living off the Cloud (LotC)**: The broader trend of using legitimate cloud services for malicious infrastructure.