LEGALAUDIT

Scam Watch

How can you recognize Fake Document Alerts and BEC: Amazon SES Weaponized for Phishing?

TLDR

Attackers abuse Amazon's legitimate email infrastructure (SES) to send phishing that bypasses security filters. Emails pass SPF, DKIM, and DMARC checks, and URLs show trusted 'amazonaws.com' domains before redirecting to credential...

How it works

Attackers abuse Amazon's legitimate email infrastructure (SES) to send phishing that bypasses security filters. Emails pass SPF, DKIM, and DMARC checks, and URLs show trusted 'amazonaws.com' domains before redirecting to credential...

Red flags

  • Unexpected document signing requests (Docusign style) arrive via email, asking you to click and log in
  • Login forms hosted on amazonaws.com URLs, designed to look trustworthy and bypass URL checks
  • BEC emails impersonate colleagues or vendors, quoting fake internal conversations about urgent invoice payments

What to do

  1. 1Never enter credentials from email links — navigate directly to the service's official website instead
  2. 2For urgent payment or document requests, verify via a separate channel (phone/call) with the supposed sender
  3. 3Monitor for exposed AWS IAM keys in your repositories; attackers harvest these to launch phishing campaigns at scale

Source

securelist

Source reviewed by Mythos Forensic Team

https://securelist.com/amazon-ses-phishing-and-bec-attacks/119623/

FAQ

Is Fake Document Alerts and BEC: Amazon SES Weaponized for Phishing a real scam pattern?

Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.

What are the first warning signs?

Unexpected document signing requests (Docusign style) arrive via email, asking you to click and log in; Login forms hosted on amazonaws.com URLs, designed to look trustworthy and bypass URL checks; BEC emails impersonate colleagues or vendors, quoting fake internal conversations about urgent invoice payments

What should I do first?

Never enter credentials from email links — navigate directly to the service's official website instead; For urgent payment or document requests, verify via a separate channel (phone/call) with the supposed sender; Monitor for exposed AWS IAM keys in your repositories; attackers harvest these to launch phishing campaigns at scale

Can LegalAudit check my case?

Yes. Start a free chat and paste the message, link, sender, or payment details for triage.