A sophisticated phishing kit has emerged, targeting Amazon Web Services (AWS) users by capturing login credentials and multi-factor authentication (MFA) codes in real-time. This advancement allows attackers to gain access to a victim’s AWS console before the victim notices any suspicious activity.
Innovative Attack Methodology
This phishing campaign, identified between June 19 and 23, 2026, represents a notable evolution in cloud account attacks. The kit employs an adversary-in-the-middle (AiTM) tactic, creating a stealthy relay between the victim and the legitimate AWS login page. As users enter their credentials and MFA codes, these are transmitted directly to the attacker, who then forwards them to the AWS servers. This process allows attackers to swiftly access the victim’s AWS session, rendering MFA protections ineffective.
Research and Findings
Datadog Security Labs uncovered the campaign and provided insights into its operations. The researchers identified three phishing domains, all registered within 24 hours through NICENIC INTERNATIONAL GROUP CO., LIMITED and hosted on Cloudflare. These domains expertly mimicked the AWS console login page, making it challenging for users to detect fraudulent activity.
The phishing emails, masquerading as AWS Support, were sent via trusted platforms such as SendGrid and Nimbu, bypassing email authentication filters. The emails fabricated a bandwidth throttling issue to prompt urgent user action, luring recipients to engage without scrutinizing the validity of the request.
Targeted Phishing Strategy
This campaign distinguished itself by not indiscriminately targeting users. The phishing kit only displayed the fake login page to pre-verified email addresses, with fewer than 50 targets identified, primarily software engineers and engineering leaders in the United States. This specificity suggests a highly targeted approach rather than a broad phishing scheme.
The kit’s core functionality resided in a single JavaScript file on the fraudulent AWS login page. This file read and verified encrypted values from the URL against the attacker’s server, ensuring that only intended targets saw the login form. This method also prevented security researchers from analyzing the page effectively.
Broader Implications and Defense Measures
Beyond AWS, researchers found additional domains impersonating SendGrid, sharing similar registration timelines and technical characteristics. This indicates a common threat actor refining their toolkit over time, affecting various industries.
To mitigate such threats, security teams are advised to monitor DNS queries for known phishing domains and scrutinize AWS CloudTrail logs for suspicious ConsoleLogin events. Identifying successful logins shortly after phishing domain contact could signal an attacker replaying a compromised session. Recognizing AWS console phishing as a critical threat is paramount to enhancing cybersecurity defenses.
Indicators of Compromise (IoCs) include several domains, such as us-west-login[.]com and aws-central.us-west-login[.]com, among others. These IoCs serve as crucial data points for threat intelligence and proactive defense strategies.
