Attackers are increasingly leveraging Amazon Simple Email Service (SES) to conduct sophisticated phishing and Business Email Compromise (BEC) campaigns. By exploiting leaked IAM access keys found in public repositories or misconfigured storage, malicious actors gain access to trusted AWS infrastructure. This allows them to bypass traditional email security filters like SPF, DKIM, and DMARC, as the emails originate from legitimate IP addresses and domains that are unlikely to be blocklisted. The campaigns often involve fake electronic signature notifications or fabricated BEC threads that impersonate internal employees requesting urgent payments. Because the attacks use custom HTML templates and official Amazon links for phishing forms, they are highly effective at deceiving even vigilant users. To mitigate these risks, organizations should prioritize IAM security, implement the principle of least privilege, use IAM roles instead of long-lived access keys, and enforce multi-factor authentication.…