Full Report
The Amazon Simple Email Service (SES) is being increasingly abused to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective. [...]
Analysis Summary
# Tool/Technique: Amazon SES Phishing Abuse
## Overview
Amazon Simple Email Service (SES) is a legitimate cloud-based email sending service. Threat actors are increasingly abusing this platform to distribute high-volume phishing and Business Email Compromise (BEC) campaigns. By leveraging the high reputation of Amazon’s infrastructure, attackers can bypass traditional email security filters and reputation-based blocks.
## Technical Details
- **Type**: Technique (Abuse of Cloud Infrastructure)
- **Platform**: Cross-platform (Email-based)
- **Capabilities**: High-deliverability phishing, BEC, bypassing SPF/DKIM/DMARC filters.
- **First Seen**: Increased activity noted in May 2024 (per Kaspersky report).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1566.002 - Phishing: Spearphishing Link]**
- **[TA0006 - Credential Access]**
- **[T1552.001 - Unsecured Credentials: Private Keys]** (Discovery of AWS IAM keys)
- **[TA0007 - Discovery]**
- **[T1580 - Cloud Infrastructure Discovery]**
- **[TA0042 - Resource Development]**
- **[T1585.002 - Establish Accounts: Email Accounts]** (Abusing legitimate SES accounts)
## Functionality
### Core Capabilities
- **Authentication Bypass**: Emails sent via Amazon SES automatically pass SPF, DKIM, and DMARC checks because they originate from verified Amazon infrastructure.
- **Reputation Leveraging**: Exploits the trusted "allow-list" status of Amazon IP ranges, making IP-based blacklisting ineffective without causing significant collateral damage.
- **Automated Secret Harvesting**: Attackers use tools like TruffleHog to scan GitHub, .ENV files, and S3 buckets for leaked AWS IAM credentials.
### Advanced Features
- **Fabricated BEC Threads**: Attackers generate realistic, multi-turn email conversations to increase the perceived legitimacy of invoice requests.
- **HTML Templating**: Use of high-quality HTML templates mimicking DocuSign or corporate login portals.
- **Permission Validation**: Automated scripts verify the "sending limits" and "permissions" of stolen IAM keys before launching mass campaigns.
## Indicators of Compromise
- **File Hashes**: N/A (Cloud-based execution)
- **File Names**: `.env` (often targeted for credential harvesting)
- **Network Indicators**:
- `email-smtp[.]us-east-1[.]amazonaws[.]com` (Legitimate SES endpoint used maliciously)
- `amazonses[.]com` (In headers)
- **Behavioral Indicators**:
- Discovery of `TruffleHog` activity in developer environments.
- Sudden spikes in SES egress traffic from non-standard IAM users.
- Verification of SES permissions immediately following an IAM key creation or leak.
## Associated Threat Actors
- Various opportunistic cybercriminals and BEC groups.
- Recent campaigns targeting Office 365 credentials using stolen SES tokens.
## Detection Methods
- **Behavioral Detection**: Monitor AWS CloudTrail for `SendEmail` or `SendRawEmail` API calls originating from unexpected IP addresses or unusual times.
- **Content Analysis**: Inspecting the "Return-Path" and "X-SES-Outgoing" headers which identify the SES origin even if the "From" address is spoofed.
- **URL Inspection**: Scan for redirects within emails that lead to AWS-hosted phishing pages (S3 buckets or EC2 instances).
## Mitigation Strategies
- **IAM Hardening**: Strictly enforce the Principle of Least Privilege (PoLP); limit which IAM users have `ses:SendEmail` permissions.
- **Credential Hygiene**: Implement automated secret scanning (e.g., GitHub Secret Scanning) to prevent the commitment of AWS keys.
- **Multi-Factor Authentication**: Enforce MFA for all AWS console and programmatic access where possible.
- **Key Rotation**: Regularly rotate IAM access keys and delete unused credentials.
- **Monitoring**: Set up Amazon CloudWatch alarms for SES "Bounce" and "Complaint" rates, which often spike during phishing campaigns.
## Related Tools/Techniques
- **TruffleHog**: Open-source tool used for finding secrets in repositories.
- **S3 Bucket Exposure**: A common source of the initial credential leaks.
- **BEC (Business Email Compromise)**: The primary objective of the reported SES abuse.