Hackers Weaponize Amazon SES to Send 50,000+ Phishing Emails Per Day

Main Takeaways

• Threat actors are using Amazon SES accounts (often via compromised/abused credentials or misconfigured tenant accounts) to send high-volume phishing and credential-harvesting emails.
• The campaign can push 50k+ malicious emails per day, increasing reach while blending into legitimate bulk-mail traffic.
• Attack messages are high-quality, personalized, and frequently use dynamic landing pages or reply-forward chains that evade common filters.

What happened (high level)

Attackers leveraged Amazon SES — a trusted mail-sending service — to distribute large-scale phishing messages. Because SES is a legitimate infrastructure used by many organizations, emails routed through it can bypass reputation-based blocks and achieve higher inbox placement. The campaign’s combination of volume, personalization, and valid sending infrastructure makes it especially effective for credential theft and fraud.

How the campaign works

• Account abuse & access: Adversaries are obtaining SES sending ability via stolen AWS credentials, abused trial/tenant setups, or by compromising third-party vendors that have SES configured. Once they control an SES identity, they can send from verified domains or subdomains that look legitimate.
• High-volume, trusted senders: Using SES’s scalability, the attackers can deliver tens of thousands of messages per day without the typical spammer infrastructure fingerprints. This raises the delivery rate and reduces bounce/blacklist signals.
• Sophisticated lures: Emails use tailored templates, dynamic content, and short-lived landing pages (or disposable hosting) for credential harvesting. Some messages use reply chains or invoice/receipt formats to trick recipients into interacting.
• Filter evasion: Because messages originate from a reputable mail service and often pass DKIM/SPF checks when attackers control the sending identity, many automated filters and basic heuristics are less effective.

Impact & scale

Researchers observed that the operation can exceed 50,000 malicious emails per day, allowing attackers to massively scale credential-harvesting campaigns and payment-fraud schemes. The use of legitimate cloud email infrastructure complicates takedown and detection efforts.

Detection & mitigation

• Monitor SES usage: Alert on unusual SES activity (spikes in send volume, new verified identities, new sending regions, or unexpected DKIM/SPF changes). Require multi-factor authentication and restrict IAM permissions for sending.
• Harden cloud credentials: Enforce least privilege for AWS/IAM roles, rotate keys, enable MFA for console access, and use AWS CloudTrail and AWS Config to detect anomalies.
• Inspect content & URLs: Use URL reputation and runtime detonation for landing pages; flag short-lived domains and newly minted TLS certs used in credential harvesters.
• Improve recipient defenses: Train users to verify unexpected requests, enable strong anti-phishing controls (BIMI, DMARC with quarantine/enforce where possible), and deploy advanced mail-scanning that looks beyond SPF/DKIM to behavioral indicators.
• Coordinate takedown: If you identify abusive SES identities or hosting, report to AWS abuse with detailed logs (headers, sending identity, timestamps) to speed remediation.

Final note

This campaign underscores a growing trend: attackers prefer abusing trusted cloud platforms to improve delivery and evade traditional defenses. Defenders should shift from solely relying on sender reputation to combining infrastructure monitoring, cloud security hygiene, and content-aware detection.