Amazon SES phishing and BEC abuse campaign
Campaign
Summary
Hide ▲
Show ▼
A phishing campaign is abusing Amazon Simple Email Service (SES) to send convincing emails that can bypass standard authentication and reputation-based defenses. Attackers are using exposed AWS credentials and related secrets found in public or leaked sources to validate permissions and send messages through legitimate infrastructure. The observed lures include DocuSign-style notifications and business email compromise messages built around fake invoices. The campaign is notable because it repurposes trusted cloud email services to make phishing harder to detect and block.
Related Happenings
AWS exposed-key hardening guidance for Amazon SES phishing abuse
Defensive Guidance
First: 04.05.2026 23:03
Last: 04.05.2026 23:03
Sources 1
How related:
Kaspersky recommends that companies restrict IAM permissions based on the “least privilege” principles, enable multi-factor authentication, regularly rotate keys, and apply IP-based access restrictions and encryption controls.
About this happening:
**Kaspersky** urged organizations to harden **AWS IAM** and credential handling after **exposed access keys** were linked to phishing delivery through **Amazon SES**, reducing the...
AWS exposed-key hardening guidance for Amazon SES phishing abuse
Defensive GuidanceHow related: Kaspersky recommends that companies restrict IAM permissions based on the “least privilege” principles, enable multi-factor authentication, regularly rotate keys, and apply IP-based access restrictions and encryption controls.
About this happening: **Kaspersky** urged organizations to harden **AWS IAM** and credential handling after **exposed access keys** were linked to phishing delivery through **Amazon SES**, reducing the...
Silent subject/null subject phishing campaign targeting executives and privileged users
Campaign
First: 22.04.2026 16:00
Last: 22.04.2026 16:00
Sources 1
About this happening:
A **widespread silent subject/null subject phishing campaign** is sending subject-less emails to **high-value users**, raising the risk of **credential theft** and follow-on **lat...
Silent subject/null subject phishing campaign targeting executives and privileged users
CampaignAbout this happening: A **widespread silent subject/null subject phishing campaign** is sending subject-less emails to **high-value users**, raising the risk of **credential theft** and follow-on **lat...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
Augmented Marauder / Water Saci multi-pronged phishing campaign targeting Latin America and Europe
Campaign
First: 01.04.2026 15:36
Last: 01.04.2026 15:36
Sources 1
About this happening:
**Water Saci** is actively evolving a **WhatsApp Web worm** in **Brazil** that uses **HTA** and **PDF** lures to deliver a **banking trojan**. The latest wave shifts from **PowerS...
Augmented Marauder / Water Saci multi-pronged phishing campaign targeting Latin America and Europe
CampaignAbout this happening: **Water Saci** is actively evolving a **WhatsApp Web worm** in **Brazil** that uses **HTA** and **PDF** lures to deliver a **banking trojan**. The latest wave shifts from **PowerS...
TikTok for Business phishing campaign using Turnstile and reverse proxy
Campaign
First: 26.03.2026 16:09
Last: 26.03.2026 16:09
Sources 1
About this happening:
A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
TikTok for Business phishing campaign using Turnstile and reverse proxy
CampaignAbout this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
Timeline
-
04.05.2026 23:03 2 articles · 22d ago
Security researchers report Amazon SES abuse for phishing and BEC
Technical Analysis UpdateSecurity researchers observed an uptick in phishing activity abusing Amazon Simple Email Service (SES), where exposed AWS credentials from GitHub repositories, .ENV files, Docker images, backups, and public S3 buckets were used to validate sending permissions and distribute convincing DocuSign-style lures and BEC invoices that could bypass SPF, DKIM, and DMARC checks.
Show sources
- Researchers report Amazon SES abused in phishing to evade detection — www.bleepingcomputer.com — 04.05.2026 23:03
- Researchers report Amazon SES abused in phishing to evade detection — www.bleepingcomputer.com — 04.05.2026 23:03
-
04.05.2026 23:03 2 articles · 22d ago
Kaspersky discloses Amazon SES phishing abuse
Initial DisclosureKaspersky describes an uptick in phishing attacks leveraging Amazon Simple Email Service (SES), with attackers abusing exposed AWS Identity and Access Management access keys from GitHub repositories, .ENV files, Docker images, backups, and publicly accessible S3 buckets to validate permissions and send convincing emails that bypass SPF, DKIM, and DMARC. The observed lures include fake DocuSign notifications that lead victims to AWS-hosted phishing pages and business email compromise messages with fake invoices aimed at finance departments.
Show sources
- Amazon SES increasingly abused in phishing to evade detection — www.bleepingcomputer.com — 04.05.2026 23:03
- Amazon SES increasingly abused in phishing to evade detection — www.bleepingcomputer.com — 04.05.2026 23:03