A newly discovered phishing kit is targeting Amazon Web Services users by silently stealing login credentials and multi-factor authentication codes the moment a victim types them in. Unlike older tools that captured passwords for later use, this kit works in real time — meaning attackers can access a victim’s AWS console before the victim realizes anything is wrong. The campaign was analyzed by Datadog Security Labs and ran between June 19 and 23, 2026.
The Adversary-in-the-Middle Technique
The attack relies on a technique called adversary-in-the-middle (AiTM), which places a hidden relay between the victim and the real AWS login page. When a victim enters credentials and an MFA code, everything is quietly forwarded to the attacker’s server, which passes it to the actual AWS site. This live relay gives attackers a brief window to log in using the stolen session before it expires — making MFA protections effectively useless against this attack vector.
Phishing emails were delivered through trusted platforms like SendGrid and Nimbu, helping them pass email authentication filters such as SPF, DKIM, and DMARC. The email impersonated AWS Support and cited a fabricated bandwidth throttling issue to create urgency, pushing recipients to click quickly without verifying the request.
A Surgical, Targeted Operation
What distinguishes this campaign is its precision. The kit only displayed the fake login page when a valid, pre-verified email address appeared in the URL link. Researchers recovered fewer than 50 target addresses, most belonging to software engineers and engineering leaders in the United States. This points to a deliberate, targeted operation rather than mass phishing.
Three phishing domains were identified, all registered within the same 24-hour window through the registrar NICENIC INTERNATIONAL GROUP CO., LIMITED, and hosted behind Cloudflare. Each served a near-perfect pixel-accurate copy of the AWS Management Console sign-in page.
How the Kit Operates Technically
The core of this kit lived inside a single JavaScript file embedded in the fake page. When a victim visited the site, the JavaScript read an encrypted value from the URL, verified it against the attacker’s server, and only rendered the login form if the visitor matched a known target — effectively blocking security sandboxes and researchers from observing the phishing flow.
Once credentials were submitted, the kit forwarded them to the phishing server, which actively interacted with the real AWS sign-in system in the background to determine which MFA challenge to present next — email, SMS, or a TOTP code. This dynamic relay is what makes AiTM kits categorically more dangerous than static credential-harvesting pages.
Links to a Broader, Multi-Year Threat Actor
Alongside the three AWS domains, researchers found three additional domains impersonating SendGrid, all registered in the same window through the same registrar. All shared an identical React-based structure, the same encrypted email gating mechanism, and full support for all major MFA methods.
Researchers traced the input_24 URL parameter — a fingerprint of this kit — to campaigns dating back to July 2023, targeting cryptocurrency wallet users and impersonating Salesforce login pages. This points to a persistent threat actor who has refined and reused the same toolkit across multiple industries over several years.
Indicators of Compromise
- us-west-login[.]com / aws.us-west-login[.]com — AWS phishing domain
- us-east-prod[.]com / aws.us-east-prod[.]com — AWS phishing domain
- loginportal-aws[.]com — AWS phishing domain
- switch-sglogin[.]com — SendGrid phishing domain
- uslogin-prodsg[.]com / sendgrid.uslogin-prodsg[.]com — SendGrid phishing domain
- us-west-prod[.]com / sendgrid.us-west-prod[.]com — SendGrid phishing domain
How to Defend Against AiTM Attacks
Standard MFA — SMS, email codes, and TOTP apps — provides no protection against AiTM phishing because the attacker relays valid codes in real time. The only MFA method resistant to this attack class is FIDO2/passkey-based authentication, which cryptographically binds the login to the legitimate origin domain, making stolen sessions unusable on phishing pages.
Organizations should monitor AWS CloudTrail for ConsoleLogin events that follow DNS queries to the known phishing domains. A successful login appearing shortly after contact with a phishing domain is a strong indicator of a compromised session that needs immediate revocation and investigation.
Source: Cyber Security News, June 25, 2026. Original research by Datadog Security Labs.