Cybersecurity teams invest millions in secure email gateways, SPF, DKIM, DMARC, and threat intelligence feeds – yet phishing emails still land directly in the inboxes of finance departments, executives, and internal decision-makers. The reason is often not a missing security stack, but the fact that attackers no longer rely on suspicious servers in obscure regions. Instead, they operate through trusted cloud infrastructure itself.
Recent analysis from Kaspersky shows a significant rise in phishing campaigns delivered through Amazon’s Simple Email Service (SES). Amazon SES is a legitimate email platform widely used by enterprises, SaaS providers, and automated business communication systems. That very trust is exactly what makes it attractive to attackers.
The entry point is often surprisingly simple: exposed AWS IAM access keys. These credentials are frequently found in public GitHub repositories, open .ENV files, Docker images, backups, or misconfigured S3 buckets. Using automated tools like TruffleHog, threat actors scan for these leaked secrets, validate permissions, and then hijack legitimate email sending capabilities through compromised AWS accounts.
The result is highly convincing phishing emails that pass SPF, DKIM, and DMARC authentication checks. Fake DocuSign notifications, manipulated invoices, and full business email compromise scenarios become far more believable than traditional spam campaigns. The risk increases significantly when attackers fabricate complete email threads and specifically target finance teams, procurement departments, or C-level executives.
The deeper problem lies in how many security strategies still depend on blocking suspicious sources. But what happens when the source itself is Amazon? IP blocking becomes nearly impossible without disrupting legitimate business communication at the same time.
Amazon SES is only one example of a much larger shift. Attackers are deliberately moving their operations into trusted systems because trust itself has become the cheapest exploit path available. The next successful breach will often not begin with malware – it will begin with a perfect email sent from a legitimate cloud environment.
Darkgate sees the real strategic failure here: many organizations still treat security as a tooling problem, while attackers have already understood that trust itself is now the primary attack surface.
