{"id":24719,"date":"2026-06-16T10:15:31","date_gmt":"2026-06-16T03:15:31","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=24719"},"modified":"2026-07-14T09:54:07","modified_gmt":"2026-07-14T02:54:07","slug":"hackers-are-using-aws-infrastructure-to-bypass-all-email-security-systems","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/hackers-are-using-aws-infrastructure-to-bypass-all-email-security-systems\/","title":{"rendered":"Hackers are using AWS infrastructure to bypass all email security systems"},"content":{"rendered":"<h2 id=\"summary-of-the-campaign\"><span style=\"font-family: arial, helvetica, sans-serif\">Summary of the campaign<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Since the beginning of 2026, Kaspersky has noted a significant increase in phishing campaigns and Business Email Compromise (BEC) exploiting Amazon Simple Email Service (SES) &#8211; not through software vulnerabilities, but via leaked AWS IAM access keys. By hijacking a third party&#8217;s key, attackers send thousands of phishing emails without the cost of building their own infrastructure. What sets this campaign apart: emails are sent from Amazon&#8217;s infrastructure &#8211; bypassing SPF, DKIM, DMARC, originating from non-blocklisted IPs, and containing redirect links through amazonaws.com. From a technical standpoint, the emails appear completely legitimate.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Two main attack branches have been identified:<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Regular phishing &#8211; impersonating DocuSign notifications, leading victims to a fake login page on amazonaws.com to steal credentials.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">BEC\/Invoice Fraud &#8211; impersonating internal email threads about payment invoices, including a PDF without malicious URLs to bypass scanners, aiming to trick the finance department into transferring money.<\/span><\/p>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/834984c5-d63e-4dca-98f6-ef45229c0ce1-1779852046.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24720\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/834984c5-d63e-4dca-98f6-ef45229c0ce1-1779852046.png\" alt=\"834984c5 D63e 4dca 98f6 Ef45229c0ce1 1779852046\" width=\"740\" height=\"541\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/834984c5-d63e-4dca-98f6-ef45229c0ce1-1779852046.png 740w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/834984c5-d63e-4dca-98f6-ef45229c0ce1-1779852046-700x512.png 700w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/a><\/p>\n<h2 id=\"timeline-amp-background\"><span style=\"font-family: arial, helvetica, sans-serif\">Timeline &amp; background<\/span><\/h2>\n<table>\n<thead>\n<tr>\n<th><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Time<\/strong><\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Event<\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">2024\u20132025<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Phishing through legitimate cloud services (Microsoft 365, Google Workspace) becomes a popular trend.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Early Q1 2026<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Kaspersky noted a significant spike in phishing campaigns sent through Amazon SES.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">04\/05\/2026<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Kaspersky publishes a detailed analysis report on Securelist.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Currently<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Trend shifts from isolated incidents \u2192 steady, ongoing campaign<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">This campaign is not a sudden phenomenon\u2014it&#8217;s a natural progression of the trend where attackers shift towards &#8220;Living off Trusted Services&#8221; (LoTS): instead of building their own easily blockable domains, they rent or hijack the infrastructure of major providers with high reputations.<\/span><\/p>\n<h2 id=\"attack-chain\"><span style=\"font-family: arial, helvetica, sans-serif\">Attack chain<\/span><\/h2>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/8d9ac24f-75a1-423d-b2dc-1566752347a4-1779852101.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24721\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/8d9ac24f-75a1-423d-b2dc-1566752347a4-1779852101.png\" alt=\"8d9ac24f 75a1 423d B2dc 1566752347a4 1779852101\" width=\"1536\" height=\"1024\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/8d9ac24f-75a1-423d-b2dc-1566752347a4-1779852101.png 1536w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/8d9ac24f-75a1-423d-b2dc-1566752347a4-1779852101-700x467.png 700w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/8d9ac24f-75a1-423d-b2dc-1566752347a4-1779852101-406x271.png 406w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/a><\/p>\n<h3 id=\"phase-1-reconnaissance-amp-credential-harvesting-t1552001\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Phase 1 &#8211; Reconnaissance &amp; credential harvesting (T1552.001)<\/strong><\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Attackers use automated tools, most commonly TruffleHog (open-source, scans for secrets in git history and code), to hunt for exposed AWS IAM access keys in public sources.<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">GitHub repositories &#8211; developer mistakenly commits a file containing a key into a public repo<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">ENV files &#8211; .env file with AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY pushed to a repo<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Docker images &#8211; credentials hardcoded in Dockerfile or baked into the image layer<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Configuration backups &#8211; config file mistakenly uploaded to a public S3 bucket<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Exposed S3 buckets &#8211; bucket misconfigured, allowing anonymous read<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Attackers don&#8217;t need to target Amazon directly &#8211; they exploit operational errors by developers and admins.<\/span><\/p>\n<h3 id=\"phase-2-validation-amp-preparation\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Phase 2 &#8211; Validation &amp; preparation<\/strong><\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">After collecting the key, the attacker performs:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Verify the key is still active and has permission to use SES<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Check the sending limit (SES sandbox vs. production) and sending rate<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Verify the target list (email harvesting from LinkedIn, data breach, etc.)<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Prepare an HTML email template impersonating reputable brands (DocuSign, Microsoft, etc.)<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Prepare a phishing landing page on an amazonaws.com subdomain or a separate domain<\/span><\/li>\n<\/ul>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/7930f54e-8333-45d8-b1ed-4ac505aae3e8-1779852291.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24722\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/7930f54e-8333-45d8-b1ed-4ac505aae3e8-1779852291.png\" alt=\"7930f54e 8333 45d8 B1ed 4ac505aae3e8 1779852291\" width=\"600\" height=\"434\" \/><\/a><\/p>\n<h3 id=\"phase-3-weaponization-t1566002\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Phase 3 &#8211; Weaponization (T1566.002)<\/strong><\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The attacker configures the email campaign with technical elements to maximize delivery and phishing effectiveness:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">SPF\/DKIM\/DMARC pass: Emails sent via SES are automatically signed by Amazon, meeting all email authentication standards<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Message-ID header contains .amazonses.com &#8211; appears completely legitimate to email security tools<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Redirect chain: Link in the email points to amazonaws.com \u2192 then redirects to the actual phishing page<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Custom HTML template: SES supports full HTML templates, allowing for professional-looking emails<\/span><\/li>\n<\/ul>\n<h3 id=\"phase-4-delivery-t1566001\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Phase 4 &#8211; Delivery (T1566.001)<\/strong><\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Emails are blasted in large volumes via the SES API:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Source IPs belong to the Amazon AWS range &#8211; aren&#8217;t blocklisted by any reputation service (blocking would cause false positives for millions of legitimate Amazon SES users)<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Emails pass all standard spam filter checks<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Volume isn&#8217;t limited by individual sending reputation due to using Amazon&#8217;s shared IP pool<\/span><\/li>\n<\/ul>\n<h3 id=\"phase-5a-exploitation-standard-phishing-t1056003\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Phase 5A &#8211; Exploitation: Standard phishing (T1056.003)<\/strong><\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">In a typical phishing campaign, the victim receives a fake email notification from an eSign service (DocuSign was the most common topic in Q1\/2026). The email requests the signing of a document. When clicking the link:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">The initial URL leads to a subdomain on amazonaws.com (the victim recognizes the domain and feels secure).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">It automatically redirects to a fake sign-in page, which may be hosted on amazonaws.com or a separate domain.Trang gi\u1ea3 render form \u0111\u0103ng nh\u1eadp Microsoft\/Google\/Office 365<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">All credentials entered are sent directly to the attacker.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">No malware, no attachments &#8211; just pure credential harvesting through a web interface.<\/span><\/li>\n<\/ul>\n<h3 id=\"phase-5b-exploitation-bec-invoice-fraud-t1534\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Phase 5B &#8211; Exploitation: BEC \/ Invoice fraud (T1534)<\/strong><\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The BEC branch is much more sophisticated. The attacker impersonates an internal email, often from senior staff or the accounting\/purchasing department, and sends it to the finance department. The email includes:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Fabricated email thread: A manually crafted thread presented as a legitimate exchange between employees and a supplier about an invoice awaiting payment<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">PDF attachment: Contains payment information and &#8220;supporting documents&#8221; &#8211; no malicious URLs or QR codes in the PDF<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">This is a crucial evasion point: most email security gateways scan attachments for malicious URLs\/macros. The PDF only contains payment information \u2192 clean. The attachment passes through the scanner without being flagged. Objective: convince the finance department to transfer money into the attacker&#8217;s bank account, presented as a legitimate supplier account.<\/span><\/p>\n<h3 id=\"phase-6-collection\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Phase 6 &#8211; Collection<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Phishing: Real-time credential collection allows the attacker to use them immediately (account takeover, lateral phishing).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">BEC: There is no technical &#8220;collection&#8221; phase &#8211; success occurs when the victim transfers money themselves.<\/span><\/li>\n<\/ul>\n<h2 id=\"detailed-technical-analysis\"><span style=\"font-family: arial, helvetica, sans-serif\">Detailed technical analysis<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Why Amazon SES is More Dangerous Than Regular Phishing Most email security gateways operate on reputation-based and signature-based principles. Amazon SES breaks through both these defenses:<\/span><\/p>\n<table>\n<thead>\n<tr>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Conventional defense mechanisms<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Effectiveness vs. SES abuse<\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">SPF check<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">\u274c Fail \u2014 email qua SES pass SPF c\u1ee7a Amazon<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">DKIM signature<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">\u274cFail \u2014 Amazon signs the email with their key, making the DKIM valid.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">DMARC alignment<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">\u274cFail \u2014 alignment passes when the From domain aligns with Amazon<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">IP reputation blocklist<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">\u274c Fail \u2014 Amazon SES IPs cannot be blocklisted (too many false positives)<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Domain reputation<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">\u274c Fail \u2014 amazonaws.com is the most trusted domain on the internet<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">URL scanner<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">\u26a0\ufe0f Partial \u2014 if the link points directly to a phishing domain; but redirecting through amazonaws.com might bypass<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Attachment scanner<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">\u274c Fail (with BEC) \u2014 PDF does not contain malicious payload<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Only behavioral analysis and AI-based content analysis can detect this, but not every organization implements these layers.<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">The most common leak vectors in order of occurrence:<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">GitHub public repo \u2014 developers push .env files or configs containing credentials; even if deleted, GitHub history remains<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Docker Hub \u2014 image public with credentials baked into the layer; docker history or layer extraction can recover<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Public S3 bucket \u2014 config file or backup mistakenly uploaded to a bucket without access control<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">CI\/CD log \u2014 pipeline log exports key to stdout, log stored publicly<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Paste sites and forums \u2014 developers share code for debugging without sanitizing credentials<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">TruffleHog automatically scans all these sources with pattern matching for AWS key formats. This tool is completely legal and widely used in DevSecOps, but attackers use it for malicious purposes.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Real phishing example \u2014 DocuSign Notification<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Email headers of a sample analyzed by Kaspersky confirm the source sent via SES:<\/span><\/p>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/9ff30bc1-2204-41d8-a93f-be0a72d36a9b-1779852357.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24723\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/9ff30bc1-2204-41d8-a93f-be0a72d36a9b-1779852357.png\" alt=\"9ff30bc1 2204 41d8 A93f Be0a72d36a9b 1779852357\" width=\"740\" height=\"437\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/9ff30bc1-2204-41d8-a93f-be0a72d36a9b-1779852357.png 740w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/9ff30bc1-2204-41d8-a93f-be0a72d36a9b-1779852357-700x413.png 700w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/a><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">All authentication checks: pass. Nothing suspicious in the header. The email content falsely notifies of a document awaiting signature. Link in the email:<\/span><\/p>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/e3ca1998-5a94-431d-a83d-b1781550ffc3-1779852388.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24724\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/e3ca1998-5a94-431d-a83d-b1781550ffc3-1779852388.png\" alt=\"E3ca1998 5a94 431d A83d B1781550ffc3 1779852388\" width=\"875\" height=\"83\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/e3ca1998-5a94-431d-a83d-b1781550ffc3-1779852388.png 875w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/05\/e3ca1998-5a94-431d-a83d-b1781550ffc3-1779852388-700x66.png 700w\" sizes=\"(max-width: 875px) 100vw, 875px\" \/><\/a><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The victim sees amazonaws.com \u2192 clicks \u2192 phishing landing page requests login.<\/span><\/p>\n<h3 id=\"real-bec-example-invoice-fraud\"><span style=\"font-family: arial, helvetica, sans-serif\">Real BEC example &#8211; Invoice fraud<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">A carefully crafted BEC email: the thread is fabricated to include a fake exchange between &#8220;employee&#8221; and &#8220;supplier&#8221; from a few days earlier, detailing a specific invoice, amount, and urgent payment reason. The final email in the thread \u2014 sent to the finance department \u2014 requests &#8220;urgent processing as the supplier needs payment before the deadline.&#8221; The attached PDF contains:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Invoice Number<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Replacement Bank Account Number (of attacker)<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Fake &#8220;Supporting Document&#8221;<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">No malware. No malicious links. All scanners are clean. The only bait is social engineering\u2014time pressure, fake authority, and email formatting that looks legitimate.<\/span><\/p>\n<h2 id=\"mitre-attampck-mapping\"><span style=\"font-family: arial, helvetica, sans-serif\">MITRE ATT&amp;CK mapping<\/span><\/h2>\n<table>\n<thead>\n<tr>\n<th><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Tactic<\/strong><\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Technique ID<\/strong><\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Technique Name<\/strong><\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Note<\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Resource Development<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1552.001<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Credentials in Files<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Scan GitHub\/Docker\/S3 for IAM key<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Resource Development<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1583.006<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Web Services<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Exploiting SES instead of building a mail infrastructure<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Initial Access<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1566.001<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Spearphishing Attachment<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">BEC with PDF attachment<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Initial Access<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1566.002<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Spearphishing Link<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Phishing via redirect link<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Collection<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1056.003<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Web Portal Capture<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">The credential via fake login form<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Impersonation<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1534<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Internal Spearphishing<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Internal BEC Impersonation<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Defense Evasion<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1036<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Masquerading<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Use legitimate domain (amazonaws.com)<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Defense Evasion<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1027<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Obfuscated Files<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Redirect chain hides the actual destination<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Exfiltration<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1041<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Exfiltration Over C2 Channel<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Credential sent to attacker server<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h2 id=\"nhn-nh\"><span style=\"font-family: arial, helvetica, sans-serif\">Assessment<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>&#8220;Living off trusted services&#8221; &#8211; Defensive weapons neutralized<\/strong> This trend isn&#8217;t new &#8211; we&#8217;ve seen attackers abuse Microsoft 365 SMTP relay, Google Workspace, and SendGrid before. Amazon SES is just the next step in the same playbook: exploiting the trust that organizations and vendors have built over many years. The concern isn&#8217;t the attacker&#8217;s technique &#8211; it&#8217;s the fundamental limitation of reputation-based defense. SPF\/DKIM\/DMARC are designed to authenticate who is sending the email, not whether the email has malicious intent. When attackers use Amazon&#8217;s infrastructure to send, these three layers of authentication lose all distinguishing significance.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Why BEC via SES is particularly dangerous<\/strong><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">BEC does not rely on malware or exploit techniques. It targets business processes and people. The PDF does not contain malicious payloads &#8211; this is intentional design, not a flaw. Attackers understand that current email scanners cannot distinguish between a PDF with fake account numbers and a legitimate one if the format looks professional. Organizations without procedures for verifying financial transactions through a secondary channel (such as a phone call or dedicated app) are ideal targets.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Risk level for organizations in Vietnam<\/strong><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">There are three factors that make organizations in Vietnam more susceptible than usual: First, AWS adoption is rapidly increasing among Vietnamese developers, along with immature operational habits: hardcoding credentials in code, allowing long-term IAM keys to exist indefinitely, and not rotating keys regularly. Our observations from pentest and red team engagements show a significant rate of finding AWS credentials in the git history of enterprise clients. Second, the finance departments at Vietnamese SMEs often lack procedures for verifying transfers through a secondary channel. An &#8220;urgent email from the boss with an attachment&#8221; is enough to trigger action.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Third, many organizations still use email security gateways that only provide basic anti-spam\/anti-virus protection\u2014lacking behavioral analysis or AI content scoring. With SES abuse, this is a dangerous gap.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Pattern larger: Zero-cost credential weaponization<\/strong><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The attacker is engaging in what is known as credential arbitrage &#8211; collecting exposed keys from third-party sources (for free) to launch phishing attacks at nearly zero cost, with unlimited scale. If a key is revoked, the scanning tool automatically finds the next key. This attack model offers extremely high margins and low risk for the attacker.<\/span><\/p>\n<h2 id=\"recommendations\"><span style=\"font-family: arial, helvetica, sans-serif\">Recommendations<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Do not fully trust &#8220;legitimate&#8221; emails<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Carefully check the email context<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Verify the actual sender<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Do not immediately click on login links<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Do not open suspicious attachments even if the email seems &#8220;official&#8221;<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Always verify financial requests through another channel.<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Always verify through a phone call or in-person meeting<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Do not change bank accounts based solely on email<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Implement a dual approval process for transfers<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Set up callback verification for large transactions<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Be cautious of fake login pages<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Check the actual domain before entering your password<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Do not log in from links in emails<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Access the website directly using a bookmark<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Carefully observe unusual URL redirects<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Enable Multi-Factor Authentication (MFA) Do not store AWS Keys in source code Monitor anomalies on AWS SES Apply Zero Trust to internal email\u00a0<strong>Conduct regular phishing awareness training, currently implemented:<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Regular phishing simulations<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Red team email exercises<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Incident reporting culture<\/span><\/li>\n<\/ul>\n<h2 id=\"refer-to\"><span style=\"font-family: arial, helvetica, sans-serif\">Refer to<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/securelist.com\/amazon-ses-phishing-and-bec-attacks\/119623\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">https:\/\/securelist.com\/amazon-ses-phishing-and-bec-attacks\/119623\/<\/a><\/span><br \/>\n<span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cyberpress.org\/attackers-abuse-amazon-ses\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">https:\/\/cyberpress.org\/attackers-abuse-amazon-ses\/<\/a><\/span><br \/>\n<span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/gbhackers.com\/attackers-exploit-amazon-ses\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">https:\/\/gbhackers.com\/attackers-exploit-amazon-ses\/<\/a><\/span><br \/>\n<span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/researchers-report-amazon-ses-abused-in-phishing-to-evade-detection\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">https:\/\/www.bleepingcomputer.com\/news\/security\/researchers-report-amazon-ses-abused-in-phishing-to-evade-detection\/<\/a><\/span><\/p>\n<p>&nbsp;<\/p>\n<table style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\">\n<p data-start=\"0\" data-end=\"210\" data-is-last-node=\"\" data-is-only-node=\"\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Exclusive article by experts from\u00a0<span class=\"hover:entity-accent entity-underline inline cursor-pointer align-baseline\"><span class=\"whitespace-normal\">FPT IS<\/span><\/span>,\u00a0<span class=\"hover:entity-accent entity-underline inline cursor-pointer align-baseline\"><span class=\"whitespace-normal\">FPT Corporation<\/span><\/span><\/strong><\/span><\/p>\n<p data-start=\"0\" data-end=\"210\" data-is-last-node=\"\" data-is-only-node=\"\"><br data-start=\"110\" data-end=\"113\" \/><span style=\"font-family: arial, helvetica, sans-serif\"><em>Luu Tuan Anh &#8211; Information Security &amp; Cybersecurity Center, <span class=\"hover:entity-accent entity-underline inline cursor-pointer align-baseline\"><span class=\"whitespace-normal\">FPT IS<\/span><\/span><\/em><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"author":21,"featured_media":24726,"parent":0,"template":"","nang_luc":[821],"danh_muc_goc_nhin_so":[789],"dich_vu":[],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-24719","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-security","danh_muc_goc_nhin_so-expert-sharing"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/24719","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/24726"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=24719"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=24719"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=24719"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=24719"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=24719"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=24719"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=24719"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=24719"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}