Introduction: AWS AiTM Phishing Kit β Why It Matters
A sophisticated phishing campaign targeting AWS users has revealed how attackers continue to evolve beyond traditional credential theft. The newly identified AWS AiTM Phishing Kit enables threat actors to steal AWS console credentials and multi-factor authentication (MFA) codes in real time, allowing them to hijack authenticated sessions before security tokens expire.
According to Datadog Security Labs, the campaign was active between June 19 and June 23, 2026, and specifically targeted a small number of high-value AWS users, primarily software engineers and engineering leaders in the United States. Instead of simply collecting usernames and passwords, the phishing kit operates as an Adversary-in-the-Middle (AiTM) platform, intercepting authentication traffic as victims log in.
Although fewer than 50 individuals have been identified as targets, the campaign demonstrates that modern phishing operations can effectively bypass traditional MFA protections when authentication sessions are intercepted in real time. The incident serves as another reminder that organizations relying solely on MFA should also adopt phishing-resistant authentication methods and continuously monitor cloud login activity. As cloud-based attacks become increasingly sophisticated, the AWS AiTM Phishing Kit serves as a strong reminder that organizations must strengthen identity protection beyond traditional multi-factor authentication.
What Is Amazon Web Services (AWS)?
Amazon Web Services (AWS) is one of the world’s largest cloud computing platforms, providing infrastructure, storage, networking, artificial intelligence, databases, and security services to millions of businesses worldwide. The AWS AiTM Phishing Kit specifically targets AWS users by exploiting the trust they place in legitimate cloud authentication workflows.
Organizations use AWS to host:
- Enterprise applications
- Customer databases
- Cloud servers
- Artificial Intelligence workloads
- Development environments
- Government and financial services
Because AWS accounts often provide administrative access to sensitive cloud infrastructure, they remain one of the most attractive targets for cybercriminals. Successful compromise of an AWS administrator account can potentially provide attackers with access to cloud resources, confidential data, encryption keys, and production environments.
What Caused the Incident?
Unlike conventional phishing pages that simply imitate a login portal, this campaign used an Adversary-in-the-Middle (AiTM) framework.
Instead of forwarding victims to a fake login page alone, attackers placed a hidden proxy server between the victim and the legitimate AWS authentication portal.
This approach allowed the attackers to:
- Capture usernames
- Capture passwords
- Intercept MFA verification codes
- Steal authenticated session cookies
- Immediately reuse active sessions
Because everything occurred in real time, attackers could authenticate before the victim even noticed anything suspicious.
AWS AiTM Phishing Kit: Full Technical Breakdown
Timeline of Events
Datadog Security Labs observed the phishing infrastructure operating during a short but carefully executed campaign.
Known timeline
- June 19, 2026 β Campaign becomes active.
- AWS-themed phishing domains begin serving login pages.
- Attackers distribute phishing emails impersonating AWS Support.
- Victims receive fake bandwidth throttling notifications.
- June 23, 2026 β Campaign activity significantly decreases after infrastructure is identified.
Researchers believe the infrastructure may be linked to older phishing operations dating back to 2023, indicating that the toolkit has likely evolved over several years.
How the Attack Worked
The phishing emails impersonated AWS Support and warned recipients that their AWS accounts were experiencing bandwidth throttling or service-related issues requiring immediate attention.
To increase credibility, attackers sent emails using trusted email delivery services such as:
- SendGrid
- Nimbu
Recipients who clicked the embedded links were redirected to domains carefully designed to resemble legitimate AWS services.
Behind the scenes, the phishing site acted as a transparent relay between the victim and the authentic AWS login page.
The attack sequence followed these steps:
- Victim receives a convincing AWS-themed phishing email.
- Victim clicks the embedded link.
- Fake AWS login page loads.
- Username and password are entered.
- AWS requests MFA verification.
- Victim submits MFA code.
- The phishing proxy forwards the authentication request to AWS.
- AWS creates a valid authenticated session.
- Session cookies are intercepted.
- Attackers immediately hijack the authenticated AWS console.
Unlike older phishing campaigns that simply collected credentials for later use, this operation exploited authentication sessions instantly, rendering standard MFA ineffective during the live attack. Security researchers noted that the AWS AiTM Phishing Kit was designed to relay authentication traffic in real time, making it significantly more dangerous than conventional credential-stealing phishing pages.
Infrastructure Behind the Campaign
Researchers discovered three AWS-themed phishing domains that supported the operation.
The domains were reportedly:
- Registered through NICENIC INTERNATIONAL GROUP CO., LIMITED
- Hosted behind Cloudflare
- Configured specifically for AWS credential theft
The campaign was highly selective.
Rather than displaying phishing pages to every visitor, the infrastructure reportedly verified intended victims before presenting the fake AWS login interface.
This filtering technique reduced the likelihood of security researchers discovering the operation while allowing attackers to focus only on carefully selected targets. Researchers believe the AWS AiTM Phishing Kit was carefully engineered to evade automated detection by serving phishing pages only to pre-selected victims.
What Was Targeted?
According to Datadog Security Labs, fewer than 50 victims were identified during the observed campaign.
Primary targets included:
- Software engineers
- Engineering managers
- Cloud administrators
- Technical leadership roles
- Organizations using AWS cloud services
Researchers believe the attackers were primarily interested in obtaining privileged cloud access rather than conducting large-scale credential harvesting.
Potential Risks & Impact
The AWS AiTM Phishing Kit demonstrates how sophisticated phishing campaigns have evolved beyond simple credential theft. By intercepting authentication sessions in real time, attackers can gain immediate access to cloud environments, potentially exposing sensitive infrastructure, data, and administrative controls. The AWS AiTM Phishing Kit demonstrates how attackers can exploit trusted cloud authentication workflows to gain unauthorized access without directly compromising AWS infrastructure.
Identity and Account Security Risks
If attackers successfully hijack an authenticated AWS session, they may be able to:
- Access AWS Management Console resources.
- Create or modify IAM users and roles.
- Generate new access keys or credentials.
- Disable or weaken security configurations.
- Maintain persistence within the AWS environment.
- Move laterally to additional cloud services.
Because the attack captures active session cookies rather than only passwords, changing the password after compromise may not immediately terminate an attackerβs existing session.
Business and Operational Risks
For organizations that rely heavily on AWS, unauthorized console access could lead to:
- Exposure of sensitive business information.
- Unauthorized deployment or deletion of cloud resources.
- Service disruptions affecting customers.
- Increased cloud infrastructure costs through resource abuse.
- Data exfiltration and intellectual property theft.
Even a short-lived compromise can have significant operational and financial consequences if attackers obtain privileged administrative access. If left undetected, the AWS AiTM Phishing Kit could enable attackers to maintain unauthorized access to sensitive cloud environments for extended periods.
Regulatory and Compliance Risks
Organizations handling regulated or sensitive data may also face compliance challenges if cloud accounts are compromised.
Potential concerns include:
- Violations of data protection regulations.
- Mandatory incident reporting requirements.
- Internal security policy breaches.
- Customer trust and reputational damage.
Enterprises should review cloud audit logs and incident response procedures whenever suspicious authentication activity is detected.
Official Response / Statement
According to Datadog Security Labs, researchers identified and analyzed the phishing infrastructure responsible for the campaign after observing suspicious AWS-themed domains and targeted phishing emails.
The researchers reported that:
- The phishing operation was active between June 19β23, 2026.
- The infrastructure selectively displayed phishing pages only to pre-approved targets.
- Fewer than 50 individuals were identified as intended victims.
- The toolkit appears to share similarities with phishing infrastructure observed since 2023, including campaigns targeting cryptocurrency users and Salesforce credentials.
At the time of writing, there has been no public indication that AWS itself was compromised. Instead, the campaign targeted users through carefully crafted phishing techniques designed to steal valid authentication sessions. Security researchers emphasized that the AWS AiTM Phishing Kit represents a growing trend of sophisticated phishing frameworks capable of bypassing traditional multi-factor authentication through real-time session interception.
Industry Context: Why AiTM Phishing Attacks Are Increasing
Adversary-in-the-Middle attacks have become one of the fastest-growing phishing techniques because traditional multi-factor authentication alone is no longer sufficient against session hijacking.
Unlike conventional phishing pages that simply collect passwords, AiTM frameworks relay authentication traffic between the victim and the legitimate service, allowing attackers to capture active session cookies immediately after successful login.
This trend reflects a broader shift toward cloud-focused attacks targeting privileged identities rather than endpoint devices.
Organizations should also stay informed about emerging cloud threats by following CyberNexora’s Cyber Incidents category.
Security teams can also improve employee awareness through CyberNexora’s Learn & Protect resources.
For cloud security best practices, organizations should also review the official AWS Security Best Practices documentation.
How to Protect Your Organization
Organizations can reduce the risk of AiTM phishing attacks by adopting multiple layers of cloud security.
- Deploy phishing-resistant authentication methods such as FIDO2 security keys or passkeys.
- Continuously monitor AWS CloudTrail ConsoleLogin events for unusual authentication activity.
- Investigate DNS requests to known phishing domains.
- Train employees to recognize urgent phishing emails impersonating AWS Support.
- Implement conditional access policies based on device trust and geographic location.
- Regularly review IAM users, roles, and privileged permissions.
- Terminate active sessions immediately after suspected account compromise.
- Use endpoint detection and identity protection solutions capable of identifying session hijacking attempts.
Security awareness remains one of the strongest defenses against highly targeted phishing campaigns. Organizations should regularly educate employees about emerging threats such as the AWS AiTM Phishing Kit to reduce the risk of successful phishing attacks.
Indicators of Compromise (IoCs)
Security teams should investigate for the following indicators:
- Suspicious AWS Console login activity.
- Unexpected ConsoleLogin events in AWS CloudTrail.
- Login attempts immediately following visits to suspicious AWS-themed domains.
- Newly created IAM users or access keys.
- Unauthorized privilege escalation.
- Unexpected MFA prompts reported by users.
- Suspicious DNS lookups involving known phishing infrastructure.
- Login sessions originating from unusual geographic locations or IP addresses.
The discovery of the AWS AiTM Phishing Kit reinforces the need for continuous cloud security monitoring, phishing-resistant authentication, and proactive incident response planning. Organizations that suspect exposure to the AWS AiTM Phishing Kit should immediately investigate authentication logs, revoke active sessions, and rotate affected credentials to minimize the risk of unauthorized access.
Key Takeaways
- The newly discovered AWS AiTM Phishing Kit steals AWS credentials and MFA codes in real time.
- Attackers use Adversary-in-the-Middle techniques to intercept authenticated AWS sessions.
- The campaign reportedly targeted fewer than 50 high-value AWS users between June 19β23, 2026.
- Trusted email delivery platforms were abused to distribute convincing AWS Support phishing emails.
- Organizations should combine phishing-resistant authentication, continuous monitoring, and employee awareness to defend against evolving cloud phishing threats.
Conclusion: AWS AiTM Phishing Kit and What Happens Next
The discovery of the AWS AiTM Phishing Kit highlights how phishing attacks continue to evolve beyond traditional credential theft. By intercepting authentication sessions in real time, attackers can effectively bypass conventional multi-factor authentication and gain immediate access to cloud environments.
As cloud adoption continues to grow, organizations should prioritize phishing-resistant authentication methods, strengthen identity monitoring, and regularly review cloud security controls. Continuous vigilance, employee awareness, and proactive monitoring of AWS authentication events will remain essential in defending against increasingly sophisticated identity-based attacks.
For more cybersecurity news and cloud security updates, visit CyberNexora’s Resources section. Although the observed campaign targeted a limited number of victims, the techniques used by the AWS AiTM Phishing Kit are likely to appear in future cloud-focused phishing operations, making continuous monitoring and phishing-resistant authentication increasingly important. The AWS AiTM Phishing Kit underscores the growing need for phishing-resistant authentication, continuous cloud monitoring, and proactive security awareness to defend against increasingly sophisticated identity-based attacks.
Frequently Asked Questions(FAQs)
The AWS AiTM Phishing Kit is a phishing framework that intercepts AWS login sessions in real time. It captures usernames, passwords, MFA codes, and authenticated session cookies, allowing attackers to hijack active AWS console sessions.
An AiTM attack places a malicious proxy between the victim and the legitimate login page. It forwards authentication requests while secretly capturing credentials and session cookies as users log in.
Traditional MFA significantly improves security but may not prevent real-time session interception. Organizations should adopt phishing-resistant authentication methods such as FIDO2 security keys or passkeys for stronger protection.
According to Datadog Security Labs, the campaign primarily targeted U.S.-based software engineers, engineering managers, cloud administrators, and other high-value AWS users.
Security teams should monitor AWS CloudTrail ConsoleLogin events, investigate suspicious DNS requests, review privileged IAM activity, and analyze unusual authentication behavior for signs of compromise.
The campaign demonstrates that modern phishing attacks can bypass traditional MFA protections through real-time session hijacking, emphasizing the need for stronger identity security and continuous cloud monitoring.