Hackers Exploit Amazon SES to Blast Over 50,000 Malicious Emails Daily

A sophisticated cyberattack campaign where threat actors exploited compromised AWS credentials to hijack Amazon’s Simple Email Service (SES), launching large-scale phishing operations capable of sending over 50,000 malicious emails daily.

The Wiz Research team identified this alarming SES abuse campaign in May 2025, highlighting a concerning trend where cybercriminals are weaponizing legitimate cloud services to conduct fraud operations at unprecedented scale.

The attack demonstrates how compromised AWS access keys can be transformed into powerful phishing infrastructure, bypassing traditional email security defenses while shifting costs and reputational damage onto innocent victims.

The sophisticated campaign began with attackers obtaining compromised AWS access keys through unknown vectors, likely including accidental public exposure in code repositories or theft from developer workstations.

Once armed with these credentials, the threat actors immediately conducted reconnaissance to assess their capabilities.

Their first move involved a simple GetCallerIdentity request, which revealed that the compromised ...