Home · Briefs · CTI Daily Brief — 2026-05-08
Amazon SES weaponised for authenticated phishing and BEC (Kaspersky, 2026-05-04, ~96 h)
From CTI Daily Brief — 2026-05-08 · published 2026-05-08
Kaspersky researchers documented a campaign technique using legitimate Amazon Simple Email Service (SES) accounts to deliver attacker-crafted phishing and business-email-compromise (BEC) lures. Because messages originate from genuine SES infrastructure, SPF and DKIM authentication passes and messages evade most email security gateway filters based on sender reputation. Attackers obtain SES API credentials from publicly exposed AWS configuration files (S3 bucket misconfigurations, leaked GitHub repositories). Observed campaign goals include invoice-fraud lures targeting finance departments and credential phishing pages hosted on AWS infrastructure. Kaspersky observed targeting of finance departments at European manufacturing firms. This report is approximately 96 hours old at publication; first coverage in this brief series.