A recently uncovered phishing campaign has been targeting Amazon Web Services (AWS) users, employing advanced techniques to intercept login credentials and multi-factor authentication (MFA) codes in real time. This method allows attackers to gain immediate access to victims’ AWS consoles, effectively rendering MFA protections ineffective.
The campaign, active between June 19 and 23, 2026, utilized an adversary-in-the-middle (AiTM) approach. In this setup, attackers positioned a relay between the victim and the legitimate AWS login page. When users entered their credentials and MFA codes, the information was simultaneously transmitted to the attackers and the genuine AWS site. This real-time interception enabled attackers to access the AWS console before the session expired, bypassing traditional security measures.
Security researchers identified three phishing domains associated with this campaign, all registered within a 24-hour period through NICENIC INTERNATIONAL GROUP CO., LIMITED and hosted on Cloudflare. These domains hosted near-identical replicas of the AWS console sign-in page, making it challenging for users to detect any discrepancies.
The phishing emails were distributed via reputable platforms such as SendGrid and Nimbu, allowing them to bypass email authentication filters and reach users’ inboxes directly. The emails impersonated AWS Support, citing fabricated issues like bandwidth throttling to create a sense of urgency and prompt immediate action from recipients.
Notably, this campaign was highly targeted. The phishing kit displayed the fake login page only when accessed through a link containing a valid, pre-verified email address. Researchers identified fewer than 50 targeted email addresses, primarily belonging to software engineers and engineering leaders in the United States, indicating a focused attack rather than a widespread phishing attempt.
The core of the phishing kit resided in a single JavaScript file embedded within the counterfeit AWS login page. Upon visiting the site, the page extracted an encrypted value from the URL, verified it against the attacker’s server, and displayed the login form only if the visitor matched a known target. This mechanism effectively concealed the phishing page’s behavior from security sandboxes and researchers.
Once victims submitted their credentials, the phishing kit forwarded the information to the attacker’s server, which then interacted with the legitimate AWS sign-in system in real time. This interaction determined the type of MFA challenge to present next, whether via email, SMS, or a time-based one-time password. The live exchange characteristic of AiTM kits distinguishes them from standard phishing pages and enhances their effectiveness.
This incident underscores the evolving sophistication of phishing attacks targeting cloud services. Organizations must remain vigilant, continuously updating their security protocols and educating employees about emerging threats. Implementing phishing-resistant MFA methods, such as hardware security keys, and monitoring for unusual login activities are crucial steps in mitigating such risks.
