Amazon SES Abuse: Bypassing Reputation Filters with High-Trust Infrastructure

Has anyone else noticed the sharp uptick in phishing campaigns leveraging Amazon Simple Email Service (SES)? It’s becoming a significant detection gap in our stack. Attackers aren't just spoofing headers; they are compromising verified accounts or abusing the SES sandbox to send mail that passes SPF/DKIM/DMARC checks automatically.

Because SES sits on AWS's massive, high-reputation IP space, traditional reputation-based firewalls just wave these messages through. Blocking *.amazonaws.com or AWS ASNs (like AS16509) isn't feasible for most of us given the volume of legitimate SaaS notifications.

Detection Strategies

We've had to pivot from reputation checks to deep content inspection and header analysis. One TTP we see is attackers using a "From" address that matches the victim's organization (display name spoofing) while the actual envelope sender is an SES instance.

Here is a KQL query we are running in Sentinel to flag SES-sourced mail for analysis:

EmailEvents
| where SenderFromDomain matches regex @".+\.amazonaws\.com$" or HeaderFrom contains "amazonses.com"
| extend ConfigSet = tostring(parse_(Headers)["X-SES-Configuration-Set"])
| where isnotempty(Subject)
| project Timestamp, Subject, SenderFromAddress, RecipientEmailAddress, ConfigSet
| order by Timestamp desc


We also check raw logs for the `X-SES-Outgoing` header to identify the sending region, which can correlate with other threat intel.

How is everyone else handling the "allow-list" dilemma? Are you strictly quarantining all SES-sourced mail, or have you found a reliable heuristic to separate legitimate receipts from credential phishing?