nmd-reply[@]fsweat[.]awsapps[.]com, passing SPF and DKIM for the SES sending domains while the visible From header was malformed. The 'Review Document' CTA redirected through bluesea610[.]rangmanworld[.]com to a credential-harvesting page at beyondexcellency[.]org (registered 2024-05-22), confirmed by sandbox analysis to display a pre-filled email input and fake reCAPTCHA. Sending IP was 54[.]240[.]8[.]57 (Amazon SES infrastructure).# Amazon SES Abuse Delivers Fake DocuPortal+ Notification to a Credential-Harvest Page With a Fake reCAPTCHA
A phishing campaign targeting a compliance-adjacent fintech firm exploited Amazon SES as a delivery rail, buying itself legitimate transport authentication before routing the victim through a two-hop redirect chain to a credential-harvesting page dressed up with a pre-filled email field and a non-functional reCAPTCHA. The attack required no zero-day, no malicious attachment, and no compromised insider account. It worked almost entirely because cloud mailer abuse turns authentication into a false signal.
The sending infrastructure was straightforward: the attacker registered or hijacked an AWS-connected sending identity and routed the campaign through Amazon SES. The observable evidence was a Received chain showing a8-57.smtp-out.amazonses.com (IP 54[.]240[.]8[.]57) handing off to Microsoft's inbound protection layer.
Because the message transited Amazon's own relay, SPF passed for amazonses.com and DKIM passed for both fsweat[.]awsapps[.]com and amazonses.com. Microsoft's composite authentication recorded dmarc=bestguesspass, a heuristic grant awarded when DMARC alignment cannot be confirmed but the relay is recognized infrastructure. The visible From field, however, was a different story: it contained a URL-encoded string embedding email=nmd-reply[@]fsweat[.]awsapps[.]com, not a legitimate mailbox address. That malformed header is a strong indicator of deliberate manipulation. Standard authentication checks never reached the spoofed display name because they were satisfied at the transport layer before anyone looked at what the message claimed to be from.
For defenders, this is the core lesson: SPF and DKIM passing for Amazon's sending domains tells you the message left an Amazon relay. It says nothing about the identity or intent of whoever booked that relay. Treating bestguesspass as a green light is exactly what the attacker counted on.
The "Review Document" button contained a SafeLinks-wrapped URL with an embedded originalsrc pointing to bluesea610[.]rangmanworld[.]com, which in turn redirected to a path under beyondexcellency[.]org. Sandbox captures from around the time this campaign ran document the landing page behavior: the page loaded a login-style form with the victim's email address pre-filled and overlaid a fake reCAPTCHA widget.
Pre-filling the email field reduces friction and creates the appearance that the portal already knows who the visitor is, the same UX pattern used by legitimate single-sign-on flows. The fake CAPTCHA adds a visual legitimacy cue without actually validating anything. Both techniques are borrowed directly from phishing-as-a-service kit designs intended to maximize credential submission rates.
Infrastructure signals for beyondexcellency[.]org fit the profile: the domain was registered 2024-05-22, registrant details are privacy-redacted, nameservers point to mysecurecloudhost[.]com, and the hosting IP PTR does not match the domain (shared hosting). DNSSEC is not deployed. The combination of a young domain, privacy-redacted WHOIS, and shared-host fingerprint is common across commodity phishing infrastructure.
See Your Risk: Calculate how many threats your SEG is missing
The body itself was simple: a "DocuPortal+" header graphic, a single sentence ("A document is available for you. Please click the button below to see the details."), and a prominent "Review Document" button. The email carried urgent priority headers (Priority: urgent, X-Priority: 1, Importance: high). The subject included a string of financial-topic hashtags designed to look like tagging metadata from a financial-services platform.
What raised the apparent legitimacy was the forwarded thread content in the message body. The attacker had embedded fragments of real inter-company correspondence, referencing business names and context that would be familiar to anyone at the target organization. This thread-borrowing technique is a form of social engineering: the borrowed context provides plausible reason for the document to exist without the attacker needing to write a convincing narrative from scratch. Other links in the message (social-media buttons, legal disclaimers) resolved to clean domains and functioned as reputation decoys to dilute automated link-scanning risk scores.
Themis, the IRONSCALES platform's AI engine, flagged the message based on the combination of a malformed From header, a first-time sender with high sender-risk metadata, and the resolved behavior of the primary CTA link. The "Review Document" link destination matched sandbox-confirmed credential-harvesting behavior, and the infrastructure signals for beyondexcellency[.]org aligned with known phishing-kit hosting patterns.
The right posture for messages arriving via bulk cloud mailers (Amazon SES, SendGrid, Mailgun) is a distinct trust tier, not blanket deference to SPF/DKIM. Treat a bestguesspass DMARC result as "unauthenticated relative to the claimed From," not "authenticated." Link sandboxing and behavioral analysis of the landing page, not transport authentication, are what this attack required to surface. Phishing campaigns routed through cloud infrastructure will keep passing gateway authentication checks until defenders stop treating that pass as a clearance signal.
| Type | Indicator | Notes |
|---|---|---|
| IP | 54[.]240[.]8[.]57 | Amazon SES sending relay |
nmd-reply[@]fsweat[.]awsapps[.]com | Envelope sender / malformed From embed | |
| Domain | bluesea610[.]rangmanworld[.]com | First redirect hop |
| Domain | beyondexcellency[.]org | Credential-harvesting landing page; registered 2024-05-22 |
| URL | hxxps://beyondexcellency[.]org/dashboard=... | Phishing page with fake reCAPTCHA |
| Attack | What happened |
|---|---|
| The Button Text Was the Weapon: Unicode RTL Obfuscation Inside a DocuSign Lure | Attackers embedded Unicode right-to-left marks directly inside a CTA button label to scatter the string for NLP scanners. |
| The DocuSign Lure That Used Google as a Trust Shield (And Encoded Your Email in the Link) | A DocuSign phishing email hid its harvest domain behind a google.com redirect and encoded the recipient's exact email address into the link as base64. |
| The B2B Content Marketing Email That Borrowed a Brand, a Relay Allow-List, and a Security Vendor's Own URL Wrapper | A polished B2B research report offer used SelectHub branding, passed through an allow-listed mail relay at SCL -1. |
| The Email That Passed Every Security Check (Because Adobe Sent It) | A phishing campaign targeting school district staff used Adobe's own sending infrastructure, real DKIM signatures. |
| The Phishing Infrastructure Was Canva. The Delivery Mechanism Was Canva. The Authentication Was Canva. | An attacker signed up for Canva, built a phishing lure as a design, and used the platform's own sharing feature to deliver it. |