Amazon SES abuse for authenticated BEC/phishing (Kaspersky, 2026-05-04)

campaign · technique:amazon-ses-bec-2026

Coverage timeline

first 2026-05-08 → last 2026-05-08

Briefs

1 distinct

Sources cited

3 hosts

Sections touched

research

Co-occurring entities

see Related entities below

Story timeline

2026-05-08CTI Daily Brief — 2026-05-08
researchFirst coverage (96h old at publication; outside 72h window but first coverage). SES API credentials harvested from misconfigured S3/GitHub; SPF/DKIM pass; targets European finance/manufacturing; BEC and credential phishing. [SINGLE-SOURCE-OTHER]

Where this entity is cited

research1

Source distribution

securelist.com1 (33%)
access.redhat.com1 (33%)
unit42.paloaltonetworks.com1 (33%)

Related entities

Kaspersky Q1 2026 Exploits and Vulnerabilities Report
annual-reportannual-report:kaspersky-q1-2026-exploits×1

All cited sources (3)

Items in briefs about Amazon SES abuse for authenticated BEC/phishing (Kaspersky, 2026-05-04) (1)

Amazon SES weaponised for authenticated phishing and BEC (Kaspersky, 2026-05-04, ~96 h)

From CTI Daily Brief — 2026-05-08 · published 2026-05-10 · view item permalink →

Kaspersky researchers documented a campaign technique using legitimate Amazon Simple Email Service (SES) accounts to deliver attacker-crafted phishing and business-email-compromise (BEC) lures. Because messages originate from genuine SES infrastructure, SPF and DKIM authentication passes and messages evade most email security gateway filters based on sender reputation. Attackers obtain SES API credentials from publicly exposed AWS configuration files (S3 bucket misconfigurations, leaked GitHub repositories). Observed campaign goals include invoice-fraud lures targeting finance departments and credential phishing pages hosted on AWS infrastructure. Kaspersky observed targeting of finance departments at European manufacturing firms. This report is approximately 96 hours old at publication; first coverage in this brief series.