Delivery Technique
Reporting from BleepingComputer and Kaspersky described growing abuse of Amazon Simple Email Service for phishing delivery, with exposed AWS IAM keys likely contributing to the spike. The defender problem is straightforward: mail sent through legitimate cloud infrastructure can pass common authentication checks and arrive with less obvious reputation friction.
Defensive Gaps
SPF, DKIM, and DMARC remain necessary, but they answer a narrow question about sending authorization and message integrity. They do not prove that the sender account, cloud key, landing page, or business pretext is safe. Attackers benefit when teams treat "authenticated" as "benign."
Control Design
Add cloud-sender context to email triage. Watch for newly seen SES identities, sudden volume from domains with little history, display-name mismatches, links that redirect away from the sending brand, and campaigns where authenticated mail points users into credential or payment workflows.
Rollout Risks
Blocking entire trusted providers is usually not workable. Many legitimate vendors, SaaS platforms, and internal workflows depend on the same infrastructure. Controls need to distinguish expected business senders from new or anomalous use, then feed abuse reports and key-rotation actions back to cloud owners.
Recommended Controls
For internal cloud accounts, scan for exposed IAM keys, limit SES permissions, alert on unusual sending volume, and rotate credentials quickly after exposure. For inbound mail, combine authentication results with behavioral reputation, URL detonation, user-report feedback, and campaign clustering.