Leaked AWS keys fuel surge in Amazon SES phishing that sails past SPF, DKIM, DMARC

Kaspersky reports a sharp rise in phishing campaigns sent through Amazon Simple Email Service. Because SES is a trusted sender, messages pass SPF, DKIM, and DMARC checks cleanly, and defenders can’t simply block the originating IPs without cutting off legitimate SES traffic. Reputation-based filtering is effectively neutralized.

The fuel for the spike is leaked AWS credentials. Attackers run TruffleHog-based bots across GitHub repos, .env files, Docker images, backups, and exposed S3 buckets to harvest IAM access keys, then automate permission probing, send-quota checks, and mass dispatch. Payloads are well-crafted: DocuSign-style document-signing lures pointing to AWS-hosted phishing pages, plus BEC operations with fabricated email threads and fake invoices aimed at finance teams.

The defensive posture sits on the customer side of the shared-responsibility line. Kaspersky’s guidance is least-privilege IAM, MFA, regular key rotation, IP-based access restrictions, and encryption. Amazon’s response points users to its existing guidance on exposed credentials and the Trust & Safety reporting channel — meaning organizations leaking keys are the choke point, not SES itself.