Threat Research

Behind the console: An AiTM phishing kit harvesting AWS console credentials and beyond

DataDogHQ
Behind the console: An AiTM phishing kit harvesting AWS console credentials and beyond
Datadog Security Research identified a June 2026 wave of AWS console phishing sites that used adversary-in-the-middle techniques to steal credentials and MFA codes in real time. The campaign also included SendGrid-themed lures, a targeting-gated phishing kit, and indicators linked to domains registered through NICENIC INTERNATIONAL GROUP CO., LIMITED and hosted on Cloudflare. #AWS #SendGrid #Cloudflare #NICENICINTERNATIONALGROUPCOLIMITED

Keypoints

  • Datadog observed three AWS phishing domains registered within a 48-hour period in June 2026 and hosted on Cloudflare.
  • The phishing pages closely cloned the AWS console sign-in page to trick victims into entering credentials.
  • The kit used adversary-in-the-middle (AiTM) methods to capture MFA challenges in real time, including email, SMS, and authenticator-app codes.
  • A VirusTotal batch file appeared to be an attacker validation artifact and referenced one of the phishing domains, WHOIS lookups, and email-delivery infrastructure.
  • The operators used legitimate email platforms such as SendGrid and Nimbu to improve deliverability and bypass spam filtering.
  • The phishing kit gated access using an encrypted URL parameter named input_24, suggesting targeted rather than mass phishing.
  • Datadog provided CloudTrail and DNS hunting guidance to detect possible credential replay and successful AWS ConsoleLogin events.

MITRE Techniques

  • [T1566.002 ] Spearphishing Link – Victims were directed to credential-harvesting AWS lookalike sites through targeted phishing links and emails (‘phishing sites attempting to harvest victim credentials’ and ‘The operators sent phishing emails through legitimate platforms’).
  • [T1133 ] External Remote Services – The attack targeted AWS console access, a cloud remote login service (‘AWS console phishing sites’ and ‘check AWS CloudTrail for ConsoleLogin events’).
  • [T1111 ] Multi-Factor Authentication Interception – The kit captured MFA codes in real time via a proxy-like AiTM flow (‘used adversary-in-the-middle (AiTM) techniques to capture multi-factor authentication (MFA) codes in real time’ and ‘captures second factors delivered via email, SMS, or a time-based one-time password (TOTP)’).
  • [T1056.001 ] Keylogging – The phishing forms collected entered usernames, passwords, and verification codes before forwarding them (‘after a victim submits initial credentials’ and ‘forwards everything to /api/auth’).
  • [T1583.001 ] Acquire Infrastructure: Domains – Attackers registered multiple lookalike domains for the campaign (‘Three domains, registered within the same 48-hour window’ and ‘registered between June 16 and 18, 2026’).
  • [T1583.006 ] Acquire Infrastructure: Web Services – The campaign used Cloudflare and legitimate email services such as SendGrid and Nimbu to host or deliver content (‘hosted on Cloudflare’ and ‘through legitimate platforms such as SendGrid and Nimbu’).
  • [T1598.003 ] Phishing for Information: Spearphishing via Service – The phishing email impersonated AWS Support and referenced a fabricated support ticket (‘which cited a fabricated support ticket about bandwidth throttling’).
  • [T1036 ] Masquerading – The sites masqueraded as legitimate AWS and SendGrid pages using near-identical branding and naming (‘impersonating the AWS login page’ and ‘Three more domains impersonating SendGrid’).
  • [T1016 ] System Network Configuration Discovery – The batch file queried WHOIS data and pinged domains to validate infrastructure (‘queried WHOIS metadata for aws.us-west-login[.]com’ and ‘pinged a non-existent domain’).

Indicators of Compromise

  • [Domains ] AWS phishing domains and related subdomains used for credential theft – us-west-login[.]com, aws.us-west-login[.]com, aws-central.us-west-login[.]com, and 2 more domains
  • [Domains ] SendGrid impersonation domains used in the same campaign – switch-sglogin[.]com, uslogin-prodsg[.]com, and 1 more domain
  • [URL Path ] Phishing application endpoints used by the kit – /api/check, /api/me, /api/login, and /api/auth
  • [URL Parameter ] Target-gating parameter embedded in phishing links – input_24
  • [File Name ] Batch-file artifact observed on VirusTotal and likely used for attacker validation – referenced a campaign script with domain checks and curl commands
  • [Domain ] Non-existent domain used in validation/testing inside the batch file – 15hourolddomain-bypass-ed-google-workspaceprotection-fuckgoogle[.]com
  • [Email/Delivery Services ] Legitimate delivery platforms used for phishing delivery – SendGrid and Nimbu
  • [Event Type ] AWS detection focus for confirming possible compromise – CloudTrail ConsoleLogin events

Read more: https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phishing-kit-and-beyond/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint