14 May 2026 (The Capital Post) — Kaspersky has warned organisations and users of a growing wave of phishing and business email compromise (BEC) attacks exploiting compromised Amazon Simple Email Service (SES) accounts to distribute malicious emails through trusted infrastructure.
According to Kaspersky researchers, cybercriminals are abusing Amazon SES, a cloud-based email service widely used by businesses and developers for marketing, notification and transactional emails, to send phishing messages that appear highly legitimate. Since the emails originate from reputable IP addresses and often contain genuine “.amazonses.com” identifiers, they are difficult to distinguish from authentic business correspondence.
The cybersecurity company revealed that attackers are exploiting leaked Amazon Web Services (AWS) Identity and Access Management (IAM) keys, which are commonly exposed through public repositories, misconfigured cloud storage and unsecured configuration files. Threat actors reportedly use automated tools to identify valid credentials before abusing them to launch large-scale phishing campaigns through Amazon’s trusted infrastructure.
Kaspersky stated that attackers often disguise malicious links behind legitimate-looking domains such as amazonaws.com while creating convincing HTML email templates to trick victims into revealing sensitive information.
One phishing campaign detected in early 2026 involved emails impersonating document-signing platform DocuSign. Victims were instructed to review and sign documents before being redirected to fraudulent login pages hosted on Amazon Web Services infrastructure designed to steal user credentials.
Researchers also uncovered several business email compromise attacks conducted through Amazon SES, where cybercriminals impersonated employees and created fake email threads involving suppliers. These emails, usually targeting finance departments, requested urgent payments and included PDF attachments containing banking details without malicious links, making detection more difficult.
-Advertisement-
Roman Dedenok, Anti-Spam Expert at Kaspersky, said the abuse of Amazon SES demonstrates a more advanced evolution of phishing tactics compared to previous scams involving trusted platforms such as Google Tasks and Google Forms.
He explained that instead of merely relying on built-in notification systems, attackers are now compromising cloud credentials to gain direct control over legitimate email-sending infrastructure, enabling them to scale attacks and customise phishing messages that closely resemble real business communications.
To reduce risks, Kaspersky advised organisations to strengthen AWS security by minimising permissions, replacing static IAM keys with roles, enabling multi-factor authentication, restricting access and conducting regular credential audits.
The company also urged users to remain cautious when receiving unexpected emails, even if they appear to originate from legitimate services, and to verify requests through separate communication channels before clicking links or sharing credentials.
Founded in 1997, Kaspersky is a global cybersecurity and digital privacy company providing security solutions and services for individuals, businesses, governments and critical infrastructure worldwide. – The Capital Post
