AWS AiTM Phishing Kit Steals Console Credentials and MFA Codes in Real Time
A newly discovered adversary-in-the-middle phishing kit targets Amazon Web Services users by live-relaying credentials and MFA tokens to the attacker's server, bypassing multi-factor authentication protections.
A sophisticated phishing kit targeting Amazon Web Services (AWS) console credentials has been uncovered by Datadog Security Labs, demonstrating a real-time adversary-in-the-middle (AiTM) attack that bypasses multi-factor authentication (MFA). The campaign ran from June 19 to June 23, 2026, and used three domains impersonating AWS login pages, hosted on Cloudflare and registered through NICENIC INTERNATIONAL GROUP CO., LIMITED.
The kit's core innovation is its ability to relay credentials and MFA tokens live to the attacker's server, which then interacts with the legitimate AWS authentication endpoint. Unlike traditional phishing kits that capture credentials for later use, this AiTM approach allows attackers to log into the victim's AWS console during the same session, before the MFA token expires. The attack emails, sent via SendGrid and Nimbu, impersonated AWS Support and warned of a fabricated bandwidth throttling issue to create urgency.
The campaign was highly targeted, with fewer than 50 pre-verified email addresses belonging to software engineers and technical leaders in the United States. The phishing page only rendered the login form if the visitor's email matched a known target, a technique that evades automated sandbox analysis. The JavaScript embedded in the page read an encrypted parameter from the URL, verified it against the attacker's server, and only then displayed the fake AWS sign-in interface.
Once a victim submitted credentials and an MFA code, the kit forwarded them to the attacker's backend, which interacted with the real AWS login flow. The server could determine which MFA challenge to present next—email, SMS, or TOTP—by relaying data to the legitimate site. This live relay is what makes AiTM kits far more dangerous than traditional credential harvesters, as they can complete the authentication process in real time.
Datadog researchers also identified three additional domains impersonating SendGrid, registered in the same batch and sharing the same code structure. The kit's fingerprint, an input_24 URL parameter, has been traced to campaigns dating back to July 2023, including attacks on cryptocurrency wallet users and Salesforce login pages. This suggests a persistent threat actor refining a reusable toolkit.
Organizations should monitor DNS logs for queries to the identified phishing domains and review AWS CloudTrail for ConsoleLogin events that occur shortly after traffic to those domains. A successful login immediately following a phishing page visit is a strong indicator of compromise. Defenders are urged to treat AWS console credentials as a high-value target and enforce hardware security keys or conditional access policies to mitigate AiTM risks.