Cloud Credential Theft: How Attackers Weaponize Amazon SES for Phishing That Bypasses SPF, DKIM, and DMARC + Video

By /

Listen to this Post

Featured Image

Introduction:

Amazon Simple Email Service (SES) is a legitimate, highly trusted cloud email-sending platform used by enterprises for marketing and transactional messages. Attackers now compromise AWS credentials or hijack SES-enabled accounts to send fully authenticated phishing emails—complete with valid SPF, DKIM, and DMARC signatures—causing traditional email filters to treat the malicious messages as legitimate. This technique undermines the very authentication standards designed to stop spoofing, turning trusted cloud infrastructure into a powerful phishing weapon.

Learning Objectives:

  • Understand the attack chain used to compromise Amazon SES credentials and send authenticated phishing emails.
  • Learn to detect unusual SES sending patterns using AWS CloudTrail, GuardDuty, and log analysis.
  • Implement IAM least privilege, MFA, and secret rotation policies to prevent SES abuse.
  • Analyze email headers to differentiate legitimate SES traffic from malicious campaigns.
  • Build incident response steps to revoke compromised access and report abuse to AWS.

You Should Know:

1. The Anatomy of an SES-Based Phishing Attack

Attackers typically gain access to Amazon SES through one of three vectors: leaked IAM user access keys (found on public GitHub or paste sites), spear-phishing of AWS console credentials, or compromised third-party applications with SES permissions. Once inside, they verify a domain or email address (often a lookalike domain like rnicrosoft-support.com), request production access to remove sandbox limits, and then send thousands of authenticated messages.

Step‑by‑step view from an attacker’s perspective (for defensive understanding):

  1. Acquire valid AWS credentials (e.g., `AKIA…` access key and secret key).
  2. Configure AWS CLI on an attacker‑controlled machine (Linux or Windows): 
    Linux / macOS
aws configure
AWS Access Key ID [bash]: AKIAEXAMPLE123456
AWS Secret Access Key [bash]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [bash]: us-east-1
Default output format [bash]: json

Windows (PowerShell) equivalent:

aws configure set aws_access_key_id AKIAEXAMPLE123456
aws configure set aws_secret_access_key wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws configure set region us-east-1

3. Verify a sending domain (attacker uses their own lookalike domain or a compromised legitimate domain):

aws ses verify-domain-identity --domain fake-bank-support.com

4. Request production access (remove sending limits) – often automated via SES API:

aws ses get-send-quota  Shows daily limit (50,000+ after approval)

5. Send a phishing email with full SPF/DKIM/DMARC compliance:

aws ses send-email --from "[email protected]" --destination "[email protected]" --message '{"Subject":{"Data":"Urgent Account Verification"},"Body":{"Html":{"Data":"<a href=\"http://phishing-site.com\">Click here</a>"}}}'

What this accomplishes: The receiving email server checks SPF (authorized by SES IPs), DKIM (signed by SES), and DMARC (aligned) – all pass. The victim sees a seemingly legitimate email from a trusted cloud provider’s infrastructure.

  1. Detecting Compromised SES Usage with CloudTrail & GuardDuty
    AWS CloudTrail records every SES API call. To detect an attacker sending emails or verifying domains, enable CloudTrail in all regions and send logs to CloudWatch Logs or S3.

Step‑by‑step detection guide:

1. Enable CloudTrail (if not already):

aws cloudtrail create-trail --name SES-Monitoring --s3-bucket-name your-cloudtrail-bucket --is-multi-region-trail
aws cloudtrail start-logging --name SES-Monitoring

2. Search for suspicious SES API calls using AWS CLI (requires `jq` for parsing):

 Find SendEmail or SendRawEmail calls from unusual IPs
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=SendEmail --max-items 20

Alternatively, use Athena queries on CloudTrail S3 logs:

SELECT eventtime, useridentity.arn, sourceipaddress, requestparameters 
FROM cloudtrail_logs 
WHERE eventsource = 'ses.amazonaws.com' 
AND eventname IN ('SendEmail','SendRawEmail','VerifyDomainIdentity')
ORDER BY eventtime DESC;

3. Set up GuardDuty to automatically detect compromised IAM credentials (GuardDuty finding types like `UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration` often precede SES abuse). Enable GuardDuty via CLI:

aws guardduty create-detector --enable

4. Create a CloudWatch Alarm for anomalous sending volume (e.g., >100 emails per hour from an account that normally sends 10/day). Use a custom metric from CloudTrail logs or SES sending statistics.

3. Hardening Your SES Configuration Against Abuse

Prevent an attacker from ever using your SES resources by implementing strict IAM policies, sandbox mode, and sending limits.

Step‑by‑step hardening workflow:

  1. Keep new accounts in sandbox mode – by default, SES sandbox only allows sending to verified email addresses. Do not request production access unless absolutely necessary. 
    aws ses get-account-sending-enabled  Returns true if out of sandbox
  2. Apply least‑privilege IAM – never attach `AmazonSESFullAccess` to user roles. Instead, use custom policies: 
    {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ses:SendRawEmail",
"Resource": "",
"Condition": {
"StringNotEquals": {
"ses:FromAddress": "[email protected]"
}
}
},
{
"Effect": "Deny",
"Action": [
"ses:VerifyDomainIdentity",
"ses:PutIdentityMailFromDomain",
"ses:UpdateAccountSendingEnabled"
],
"Resource": ""
}
]
}
  3. Enforce MFA on all IAM users with console access. Use AWS CLI to list users without MFA: 
    aws iam list-users --query "Users[?PasswordLastUsed!=null]" --output table
Then check each user's MFA devices
aws iam list-mfa-devices --user-name username
  4. Rotate access keys regularly (every 90 days) and delete unused keys: 
    aws iam list-access-keys --user-name username
aws iam update-access-key --access-key-id AKIA... --status Inactive --user-name username
aws iam delete-access-key --access-key-id AKIA... --user-name username
  5. Use AWS Config to enforce that no IAM user has SES write permissions without approval.

4. Analyzing Authenticated Phishing Emails: Header Forensics

When a user receives a suspected phishing email that passed SPF/DKIM/DMARC, digging into the headers reveals it originated from Amazon SES. Learn to extract forensic evidence.

Step‑by‑step header analysis (Linux/macOS):

  1. Save the email as `phish.eml` (raw source). Display headers: 
    cat phish.eml | grep -E "^(From:|Return-Path:|Authentication-Results:|Received:)"
  2. Check SPF/DKIM/DMARC results – look for spf=pass, dkim=pass, dmarc=pass. Even if they pass, examine the `Authentication-Results` header for the sending service: 
    Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 54.240.0.0 as permitted sender)
  3. Identify the originating AWS region from the `Received` chain. SES typically uses `mail-xxx.amazonaws.com` or IP ranges owned by Amazon. Use `dig` to confirm: 
    dig +short 54.240.0.0 | head -1  Returns ec2-54-240-0-0.compute-1.amazonaws.com
  4. Extract the `X-SES-Outgoing` header (present in all SES-sent emails). If missing but other signs point to SES, the attacker stripped it – that itself is suspicious.

5. Windows PowerShell alternative for header parsing:

Get-Content phish.eml | Select-String -Pattern "Authentication-Results|Received: from.amazonaws.com"

What this teaches: Even authenticated emails can be malicious. Always verify the sender’s domain against known legitimate domains and inspect the `Return-Path` – SES often uses a subdomain like mail-xxx.amazonaws.com. Any mismatch with the purported “From” domain indicates abuse.

  1. Mitigating Credential Theft: MFA, Secret Rotation, and Least Privilege
    Most SES compromises result from stolen IAM user access keys. Mitigation focuses on making keys useless to attackers.

Actionable step‑by‑step plan (Windows/Linux cross‑platform):

  1. Enforce MFA for all human IAM users – use AWS CLI to generate MFA policy: 
    aws iam create-policy --policy-name RequireMFAPolicy --policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "",
"Resource": "",
"Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": false}}
}]
}'
  2. Replace long‑term access keys with temporary credentials using AWS SSO or IAM Roles Anywhere. For EC2 instances, use instance profiles – never store keys on disk.
  3. Automate secret rotation with AWS Secrets Manager for applications that need SES API access. Example rotation lambda triggers every 30 days: 
    Pseudocode: Create new IAM user, generate keys, update secret, deactivate old keys
  4. Monitor for leaked keys using AWS Access Analyzer and third‑party tools (GitHub secret scanning). Respond immediately when a key appears in public: 
    aws iam update-access-key --access-key-id LEAKED_KEY_ID --status Inactive
  5. Implement a honey‑token – a dummy IAM user with SES permissions that alerts on any use. Set an SNS topic to trigger on `ses:SendEmail` events from that user.

6. Using AI to Detect Anomalous Sending Patterns

Traditional rule‑based alerts (e.g., “more than 100 emails per hour”) miss adaptive attackers who slowly ramp up volume. Unsupervised machine learning establishes baseline behavior.

Practical approach (no‑code to low‑code):

  1. Enable AWS SES event publishing to CloudWatch or Kinesis Data Firehose. Configure SNS notifications for sending events.
  2. Feed sending metadata (timestamp, source IP via CloudTrail, recipient domains, email size) into Amazon SageMaker or a simple anomaly detection model (e.g., Random Cut Forest).
  3. Use Amazon Lookout for Metrics to continuously detect unexpected changes in sending velocity, reply‑to addresses, or authentication success rates.
  4. For immediate DIY detection on Linux, set up a cron job that compares current hourly send count against a rolling 7‑day average using the AWS CLI: 
    /bin/bash
CURRENT=$(aws ses get-send-statistics --query 'SendDataPoints[bash].DeliveryAttempts' --output text)
BASELINE=$(aws ses get-send-statistics --query 'SendDataPoints[1:7].DeliveryAttempts' --output json | jq 'add / length')
if (( $(echo "$CURRENT > $BASELINE  3" | bc -l) )); then
echo "SES anomaly detected" | mail -s "Alert" [email protected]
fi

  5. Incident Response: What to Do When You Detect SES Abuse
    If you confirm that an attacker sent phishing emails through your SES account, follow this IR checklist.

Immediate steps:

  1. Revoke compromised credentials – deactivate the affected IAM user access keys: 
    aws iam list-access-keys --user-name attacker_compromised_user
aws iam update-access-key --access-key-id AKIA... --status Inactive
  2. Disable SES sending for the entire account (or revoke verified identities): 
    aws ses update-account-sending-enabled --enabled false
or delete the lookalike domain the attacker added
aws ses delete-identity --identity fake-bank-support.com
  3. Preserve evidence – download CloudTrail logs, SES sending statistics, and email samples for future legal action.
  4. Notify affected recipients – if you have recipient email addresses (from SES sending logs), inform them that emails from your domain were malicious.
  5. Report the abuse to AWS via the AWS Abuse Report form (include Message IDs, timestamps, and compromised key ID). AWS will assist with remediation and block the attacker’s infrastructure.
  6. Conduct a post‑mortem – rotate ALL IAM keys, enforce MFA, and implement the hardening steps described in section 3.

What Undercode Say:

  • Trust is the new attack surface – Attackers are not exploiting technical flaws in SPF/DKIM/DMARC; they are abusing the trust placed in cloud providers like Amazon. Your email filters are only as good as the reputation of the sending IP.
  • IAM hygiene is non‑negotiable – A single leaked access key can turn your SES account into a phishing botnet. MFA, short‑lived credentials, and least‑privilege policies are the only effective defenses.
  • Detection requires behavioural baselines – Because authenticated phishing looks legitimate on the wire, you must monitor sending patterns (volume, recipient geography, time‑of‑day anomalies) rather than just email content.
  • CloudTrail is your forensic source of truth – Every SES `SendEmail` call is logged. If you are not actively auditing these logs, you cannot differentiate your marketing team from a threat actor.
  • SES sandbox mode is underutilized – Many organizations request production access “just in case” and never revoke it. Keeping sandbox mode enabled until a clear business need exists blocks 99% of mass phishing abuse.

Prediction:

As AWS SES abuse becomes more common (similar to the evolution of abused Google Workspace and Office 365 tenants), we will see three major shifts by 2027. First, email security vendors will integrate real‑time cloud provider reputation feeds, treating “passed DMARC” as only one signal among many. Second, AWS will introduce mandatory outbound email throttling with risk‑based auto‑suspension, similar to its DDoS protection model. Third, threat actors will begin leveraging AWS SES combined with AI‑generated content (LLM‑written phishing lures) to create hyper‑personalized, authenticated campaigns that evade both technical and human detection. Organizations that fail to move beyond authentication‑based trust will become the primary victims of this evolution.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Varshu25 Attackers – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: