Amazon is a giant in both online retail and cloud, with Amazon Web Services accounting for an estimated 30% market share in cloud infrastructure. As a market leader, it’s not unusual to hear of Amazon being the target of cyber attacks, but a new report from security researchers at Kaspersky has now revealed that Amazon’s own infrastructure is being leveraged to launch “an uptick in phishing attacks” that bypass standard security checks by appearing to be completely legitimate. Here’s what you need to know about the Amazon Simple Email Service and how it is being weaponized by attackers.

How The Amazon Simple Email Service Is Weaponized By Attackers

When it comes to phishing campaigns, one of the main objectives for attackers is to bypass security measures so that their nefarious content drops into the victim’s view without being flagged as suspicious. We’ve seen many different methodologies used, including the use of QR codes and malicious web browser notifications. When it comes to email, however, one of the tactics increasingly employed by threat actors is the use not only of reputable sources, but of legitimate and trusted platform infrastructure. In the case of the newly published report, authored by Kaspersky analyst Roman Dedenok, it is the Amazon Simple Email Service that is being put to bad use.

Amazon SES is a cloud-based platform that is designed for reliable transactional and marketing message delivery, integrating seamlessly with products in the Amazon cloud ecosystem. “The insidious nature of Amazon SES attacks lies in the fact that attackers aren’t using suspicious or dangerous domains; instead, they are leveraging infrastructure that both users and security systems have grown to trust,” Dedenok warned in the Kaspersky report .

Having gained access to the Amazon SES platform by way of compromised AWS identity and access management credentials, specifically keys exposed by developers “in public GitHub repositories, ENV files, Docker images, configuration backups, or even in publicly accessible S3 buckets,” according to Dedenok, attackers are able to then “blast out thousands of phishing emails.” The most dangerous part being that these will pass email authentication and originate from non-blacklisted IP addresses. This because the Amazon SES emails use SPF, DKIM, and DMARC authentication protocols, and “almost always contain .amazonses.com in the Message-ID headers.”

It should be noted that these attack campaigns are not attempting to compromise your Amazon account as others have done with emails purporting to come from Amazon support, but rather to access data from other platforms and even engage in invoice fraud.

Amazon is far from unique in being targeted by attackers seeking to use legitimate services for phishing campaigns. I have reported on such attacks using PayPal and Google platforms, for example, but the Kaspersky warning is worth noting nonetheless. Not least, as Dedenok concluded, “phishing via Amazon SES is shifting from isolated incidents into a steady trend.” That said, Amazon told me that it was not seeing any evidence that supports this research conclusion, and the research itself provides no validation or data for the claim that this activity is increasing.

An Amazon spoksperson provided the following statement:

“AWS has clear terms that prohibit the use of our services to violate the security, integrity, or availability of others. When we receive reports of potential violations of our terms, we act quickly to review and take appropriate action. As always, we encourage all customers to follow recommended security guidance to help secure their accounts and prevent abuse. If anyone suspects that AWS resources are being used for abusive activity, they can report it to AWS Trust & Safety."