AWS exposed-key hardening guidance for Amazon SES phishing abuse
Defensive Guidance
Summary
Hide ▲
Show ▼
Kaspersky urged organizations to harden AWS IAM and credential handling after exposed access keys were linked to phishing delivery through Amazon SES, reducing the risk of unauthorized email abuse and convincing lures. The recommended controls are least privilege, multi-factor authentication, regular key rotation, and IP-based access restrictions.
Related Happenings
Amazon SES phishing and BEC abuse campaign
Campaign
First: 04.05.2026 23:03
Last: 04.05.2026 23:03
Sources 1
How related:
Kaspersky reports that the Amazon Simple Email Service (SES) is being increasingly abused to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective.
About this happening:
A phishing campaign is abusing Amazon Simple Email Service (SES) to send convincing emails that can bypass standard authentication and reputation-based defenses. Attackers are usi...
Amazon SES phishing and BEC abuse campaign
CampaignHow related: Kaspersky reports that the Amazon Simple Email Service (SES) is being increasingly abused to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective.
About this happening: A phishing campaign is abusing Amazon Simple Email Service (SES) to send convincing emails that can bypass standard authentication and reputation-based defenses. Attackers are usi...
CISA and NCSC-UK China-nexus covert device networks advisory
Advisory/Mitigation
First: 23.04.2026 15:00
Last: 23.04.2026 15:00
Sources 1
About this happening:
**CISA** and **NCSC-UK** released a new advisory warning organizations about **Chinese government-linked** covert networks built from **compromised devices**. The guidance says we...
CISA and NCSC-UK China-nexus covert device networks advisory
Advisory/MitigationAbout this happening: **CISA** and **NCSC-UK** released a new advisory warning organizations about **Chinese government-linked** covert networks built from **compromised devices**. The guidance says we...
Halcyon automotive ransomware mitigation guidance
Advisory/Mitigation
First: 16.04.2026 11:35
Last: 16.04.2026 11:35
Sources 1
About this happening:
**Halcyon** urged **automotive sector IT teams** to harden their environments against a **ransomware threat** that is pressuring carmakers and their suppliers. The guidance priori...
Halcyon automotive ransomware mitigation guidance
Advisory/MitigationAbout this happening: **Halcyon** urged **automotive sector IT teams** to harden their environments against a **ransomware threat** that is pressuring carmakers and their suppliers. The guidance priori...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
Timeline
-
04.05.2026 23:03 2 articles · 22d ago
AWS hardening guidance for Amazon SES phishing abuse
Technical Analysis UpdateKaspersky said Amazon Simple Email Service (SES) is being abused to send convincing phishing emails that bypass standard security filters and reputation-based blocks, with attackers finding exposed AWS credentials in GitHub repositories, .ENV files, Docker images, backups, and public S3 buckets, using TruffleHog-based bots to verify permissions before sending DocuSign-style notifications and business email compromise invoices; the guidance is to restrict AWS Identity and Access Management permissions with least privilege, enable multi-factor authentication, rotate keys regularly, and apply IP-based access restrictions and encryption controls, while Amazon pointed to security guidance on exposed credentials and the AWS Trust & Safety reporting path for abusive activity.
Show sources
- Researchers report Amazon SES abused in phishing to evade detection — www.bleepingcomputer.com — 04.05.2026 23:03
- Researchers report Amazon SES abused in phishing to evade detection — www.bleepingcomputer.com — 04.05.2026 23:03