EXECUTIVE SUMMARY:
An adversary-in-the-middle (AiTM) phishing campaign has been observed targeting cloud users by impersonating the AWS Management Console through convincing lookalike login pages. Instead of only collecting usernames and passwords, the phishing framework intercepts authentication traffic in real time, enabling attackers to capture multi-factor authentication (MFA) codes and authenticated session data. The campaign demonstrates how modern phishing operations can bypass traditional MFA protections and rapidly obtain unauthorized access to cloud environments.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
An adversary-in-the-middle (AiTM) phishing campaign has been observed targeting cloud users by impersonating the AWS Management Console through convincing lookalike login pages. Instead of only collecting usernames and passwords, the phishing framework intercepts authentication traffic in real time, enabling attackers to capture multi-factor authentication (MFA) codes and authenticated session data. The campaign demonstrates how modern phishing operations can bypass traditional MFA protections and rapidly obtain unauthorized access to cloud environments.[emaillocker id="1283"]
The phishing kit presents a near-identical replica of the AWS sign-in page and validates intended victims before displaying the login interface. It processes encrypted identifiers embedded in phishing URLs, retrieves victim-specific information from backend APIs, and dynamically renders the phishing page only for validated targets. Once credentials are submitted, the kit proxies authentication requests to the legitimate AWS service and determines the victim's configured MFA method, including SMS, email, or authenticator applications. It then captures one-time authentication codes in real time while forwarding requests to the legitimate service, enabling attackers to establish authenticated sessions immediately after successful login. The operation also leverages legitimate email distribution platforms and multiple redirect stages to improve email deliverability, evade spam detection, and increase the authenticity of phishing messages.
This campaign highlights the growing effectiveness of AiTM phishing frameworks in bypassing traditional MFA protections by capturing authentication data during live login sessions. Organizations should strengthen defenses by adopting phishing-resistant authentication methods such as hardware security keys or passkeys, monitoring cloud authentication logs for anomalous console access, restricting access through conditional policies, and educating users to access AWS resources only through trusted bookmarks or verified portals instead of links received in email messages.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Reconnaissance | T1589.001 | Gather Victim Identity Information | Credentials |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| T1587.001 | Develop Capabilities | Malware | |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Stealth | T1036.005 | Masquerading | Match Legitimate Resource Name or Location |
| Credential Access | T1111 | Multi-Factor Authentication Interception | - |
| Collection | T1119 | Automated Collection | - |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/aitm-phishing-kit-steals-console-credentials/
https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phishing-kit-and-beyond/