A newly discovered phishing kit is targeting Amazon Web Services users by silently stealing login credentials and multi-factor authentication codes the moment a victim types them in.
Unlike older tools that captured passwords for later use, this kit works in real time, meaning attackers can access a victim’s AWS console before the victim realizes something is wrong.
The campaign ran between June 19 and 23, 2026, and marks a serious shift in how cloud accounts are attacked.
The kit relies on a technique called adversary-in-the-middle, or AiTM, which places a hidden relay between the victim and the real AWS login page.
When a victim enters credentials and an MFA code, everything is quietly forwarded to the attacker’s server, which passes it to the actual AWS site.
This live relay gives attackers a brief window to log in using the stolen session before it expires, making MFA protections effectively useless.
Analysts from Datadog Security Labs identified the campaign and documented how it operated, publishing a report shared with Cyber Security News (CSN).
The researchers found three phishing domains, all registered within the same 24-hour window through a registrar named NICENIC INTERNATIONAL GROUP CO., LIMITED, and hosted on Cloudflare.
Each domain served a near-perfect copy of the AWS console sign-in page, making it nearly impossible for most users to notice anything off.
The attack emails were sent through trusted platforms like SendGrid and Nimbu, which helped them pass email authentication filters and reach inboxes directly.
The phishing email impersonated AWS Support and cited a fabricated issue about bandwidth throttling to create urgency. This social engineering pushed recipients into clicking quickly, without pausing to check whether the request was real.
What makes this campaign stand out is that it did not cast a wide net. The kit only displayed the fake login page when a valid, pre-verified email appeared in the link, and researchers recovered fewer than 50 target addresses.
Most belonged to software engineers and engineering leaders in the United States, pointing to a targeted operation rather than mass phishing.
AWS AiTM Phishing Kit Steals Console Credentials
The core of this kit lived inside a single JavaScript file embedded in the fake AWS login page.
When a victim visited the site, the page read an encrypted value from the URL, verified it against the attacker’s server, and only showed the login form if the visitor matched a known target.
This trick prevented security sandboxes and researchers from examining the page’s behavior.
Once credentials were submitted, the kit forwarded them to the phishing server, which interacted with the real AWS sign-in system in the background.
The server could only determine which MFA challenge to show next, whether email, SMS, or a time-based one-time password, by actively relaying data to the legitimate AWS site.
That live exchange is what sets AiTM kits apart from standard phishing pages and makes them far more dangerous.
Ties to a Broader Phishing Operation
Alongside the three AWS domains, researchers found three more domains impersonating SendGrid, all registered during the same window through the same registrar.
The similarities were clear, including a matching React-based app structure, the same encrypted email gating method, and identical MFA support across all major second-factor types.
Researchers also traced the input_24 URL parameter, a fingerprint of this kit, to campaigns dating back to July 2023, including attacks on cryptocurrency wallet users and a Salesforce login page impersonation.
This points to a threat actor who has refined and reused the same toolkit across multiple industries over several years.
To defend against this threat, security teams should look for DNS queries pointing to the known phishing domains and check AWS CloudTrail logs for ConsoleLogin events following contact with those domains.
A successful login appearing right after traffic to a phishing domain strongly suggests an attacker captured and replayed a victim’s session. Treating AWS console phishing as a high-priority threat is the clearest lesson from this campaign.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | us-west-login[.]com | AWS phishing domain registered via NICENIC |
| Domain | aws.us-west-login[.]com | AWS phishing subdomain |
| Domain | aws-central.us-west-login[.]com | AWS phishing subdomain |
| Domain | us-east-prod[.]com | AWS phishing domain registered via NICENIC |
| Domain | aws.us-east-prod[.]com | AWS phishing subdomain |
| Domain | loginportal-aws[.]com | AWS phishing domain; not observed with input_24 parameter |
| Domain | switch-sglogin[.]com | SendGrid phishing domain registered via NICENIC |
| Domain | uslogin-prodsg[.]com | SendGrid phishing domain registered via NICENIC |
| Domain | sendgrid.uslogin-prodsg[.]com | SendGrid phishing subdomain |
| Domain | us-west-prod[.]com | SendGrid phishing domain registered via NICENIC |
| Domain | sendgrid.us-west-prod[.]com | SendGrid phishing subdomain |
| Domain | 15hourolddomain-bypass-ed-google-workspace-protection-fuckgoogle[.]com | Non-existent domain pinged by attacker validation script found on VirusTotal |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
