Full Report
Kaspersky expert breaks down a new phishing scheme that uses the Amazon SES cloud email service. Let's look at some examples to see how you can tell a phishing email from a real one.
Analysis Summary
# Tool/Technique: Amazon SES Phishing & BEC Orchestration
## Overview
Threat actors are increasingly leveraging **Amazon Simple Email Service (SES)**, a cloud-based bulk emailing platform, to bypass traditional email security filters. By using a legitimate, high-reputation service like Amazon SES, attackers can ensure high deliverability rates for phishing and Business Email Compromise (BEC) campaigns. The primary purpose is to cloak malicious intent behind trusted AWS infrastructure and validated SPF/DKIM records.
## Technical Details
- **Type:** Technique / Infrastructure Abuse
- **Platform:** Cross-platform (Email-based)
- **Capabilities:** High-volume email delivery, reputation hijacking, bypass of IP-based blacklists.
- **First Seen:** Technique identified as a rising trend in early 2024 (Kaspersky research).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1566.002 - Phishing: Spearphishing Link]**
- **[TA0042 - Resource Development]**
- **[T1583.003 - Acquire Infrastructure: Virtual Private Server]** (SES usage)
- **[T1585.002 - Establish Accounts: Email Accounts]**
- **[TA0007 - Discovery]**
- **[T1589.002 - Gather Victim Identity Information: Email Addresses]**
## Functionality
### Core Capabilities
- **Reputation Leveraging:** Uses Amazon's trusted IP ranges to ensure emails land in the "Inbox" rather than "Spam."
- **Authentication Alignment:** Automatically provides valid SPF and DKIM signatures, which many security gateways use as a primary trust signal.
- **Scalability:** Enables attackers to send thousands of phishing emails with minimal infrastructure maintenance.
### Advanced Features
- **URL Redirection:** Usage of trusted cloud-hosted links (often within the AWS ecosystem) to redirect to malicious credential harvesting sites.
- **Dynamic Content:** Ability to use SES templates to customize phishing lures for specific targets, increasing the efficacy of BEC attempts.
- **Header Manipulation:** Spoofing the "From" display name while maintaining a technically "legitimate" envelope from address (e.g., `amazonses.com`).
## Indicators of Compromise
- **Network Indicators:**
- `amazonses[.]com` (Envelope sender domain)
- `*.amazonses[.]com`
- Legitimate Amazon SES IP ranges (Note: These cannot be blocked outright as they host legitimate traffic).
- **Behavioral Indicators:**
- Emails where the "Header From" address (e.g., `ceo@victimcompany[.]com`) does not match the "Envelope From" (`*.amazonses.com`).
- Presence of SES-specific headers such as `X-SES-Outgoing`.
- Notification links that redirect through intermediate tracking domains before reaching a login page.
## Associated Threat Actors
- Generic BEC fraud rings.
- Various Phishing-as-a-Service (PhaaS) providers.
- Commodity malware distributors (e.g., those distributing AgentTesla or Remcos via malicious links).
## Detection Methods
- **Signature-based detection:** Flagging emails where the `Message-ID` contains `amazonses.com` but the display sender claims to be a well-known brand (Microsoft, DHL, etc.) or internal staff.
- **Behavioral detection:** Monitoring for mismatched "friendly" From addresses and technical "envelope" From addresses.
- **Header Analysis:** Inspecting `Feedback-ID` or `X-SES-Outgoing` headers to identify the specific SES environment used by the attacker.
## Mitigation Strategies
- **Prevention measures:** Implementation of strict DMARC policies (`p=reject`) to prevent display name spoofing of your own domain.
- **Hardening recommendations:** Configure email security gateways to perform "Lookalike Domain" analysis and "External Sender" tagging even for emails passing SPF/DKIM.
- **User Training:** Educate employees to inspect the actual email address behind the display name, even if the "security certificate" of the email (SPF/DKIM) appears valid.
## Related Tools/Techniques
- **SendGrid Phishing:** Similar abuse of bulk email providers.
- **Microsoft 365 Direct Send Abuse:** Bypassing filters by sending from within the same trusted environment.
- **Subdomain Takeover:** Using legitimate subdomains to host phishing content that SES emails link to.