New AiTM Phishing Kit Targets AWS Users in Real-Time Credential Theft
A sophisticated phishing campaign targeting Amazon Web Services (AWS) users emerged between June 19 and 23, 2026, leveraging an adversary-in-the-middle (AiTM) technique to steal login credentials and multi-factor authentication (MFA) codes in real time. Unlike traditional phishing tools that capture data for later use, this kit intercepts and relays credentials instantly, allowing attackers to access victims’ AWS consoles before they detect the breach rendering MFA protections ineffective.
Researchers at Datadog Security Labs uncovered the operation, identifying three phishing domains registered within a 24-hour window via NICENIC INTERNATIONAL GROUP CO., LIMITED and hosted on Cloudflare. The domains served near-identical clones of the AWS login page, designed to evade detection. Attackers distributed phishing emails through trusted platforms like SendGrid and Nimbu, bypassing email authentication filters. The messages impersonated AWS Support, citing a fabricated "bandwidth throttling" issue to create urgency and prompt quick clicks.
The campaign stood out for its precision targeting: the phishing kit only displayed the fake login page for pre-verified email addresses, with fewer than 50 victims identified primarily software engineers and engineering leaders in the U.S. The attack relied on a JavaScript-based relay embedded in the phishing page, which validated victims against an encrypted URL parameter before rendering the login form. This mechanism also blocked security sandboxes from analyzing the page’s behavior.
Once credentials were entered, the kit forwarded them to the attacker’s server, which relayed them to the legitimate AWS site in real time. The server dynamically determined the MFA challenge type (SMS, email, or TOTP) by interacting with AWS, then captured and replayed the victim’s session before it expired. This live relay distinguishes AiTM attacks from conventional phishing, significantly increasing their success rate.
The investigation revealed ties to a broader phishing operation, with three additional domains impersonating SendGrid registered through the same registrar. The kit’s infrastructure including a React-based app structure, encrypted email gating, and MFA support matched earlier campaigns dating back to July 2023, including attacks on cryptocurrency wallets and Salesforce logins. A shared input_24 URL parameter served as a fingerprint linking these incidents to the same threat actor.
Security teams can detect potential breaches by monitoring DNS queries to the known phishing domains and reviewing AWS CloudTrail logs for ConsoleLogin events following interactions with those domains. A successful login immediately after phishing site access strongly indicates session hijacking. The campaign underscores the growing threat of real-time AiTM attacks against cloud services, particularly when combined with social engineering and targeted reconnaissance.
Source: https://cybersecuritynews.com/aitm-phishing-kit-steals-console-credentials/
SendGrid TPRM report: https://www.rankiteo.com/company/sendgrid
Nimbu TPRM report: https://www.rankiteo.com/company/nimbuitservices
Amazon Web Services TPRM report: https://www.rankiteo.com/company/amazon-web-services
"id": "nimsenama1782455164",
"linkid": "nimbuitservices, sendgrid, amazon-web-services",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': '<50',
'industry': 'Technology, Software Engineering',
'location': 'U.S.',
'name': 'Amazon Web Services (AWS) users',
'type': 'Cloud service users'}],
'attack_vector': 'Email (SendGrid, Nimbu), Adversary-in-the-Middle (AiTM)',
'data_breach': {'number_of_records_exposed': '<50',
'personally_identifiable_information': 'Potentially (depends '
'on AWS account '
'contents)',
'sensitivity_of_data': 'High (AWS access credentials)',
'type_of_data_compromised': 'Login credentials, MFA codes'},
'date_detected': '2026-06-19',
'description': 'A sophisticated phishing campaign targeting Amazon Web '
'Services (AWS) users emerged between June 19 and 23, 2026, '
'leveraging an adversary-in-the-middle (AiTM) technique to '
'steal login credentials and multi-factor authentication (MFA) '
'codes in real time. The kit intercepts and relays credentials '
'instantly, allowing attackers to access victims’ AWS consoles '
'before they detect the breach, rendering MFA protections '
'ineffective.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to AWS '
'and affected organizations',
'data_compromised': 'AWS login credentials, MFA codes',
'identity_theft_risk': 'High (PII and access credentials '
'compromised)',
'operational_impact': 'Unauthorized access to cloud resources',
'systems_affected': 'AWS consoles'},
'initial_access_broker': {'backdoors_established': 'Real-time credential '
'relay',
'entry_point': 'Phishing emails (SendGrid, Nimbu)',
'high_value_targets': 'Software engineers and '
'engineering leaders in the '
'U.S.'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Real-time AiTM attacks can bypass MFA protections, '
'underscoring the need for enhanced monitoring and '
'detection of phishing domains. Targeted reconnaissance '
'increases attack success rates.',
'motivation': 'Credential theft, unauthorized access to AWS accounts',
'post_incident_analysis': {'corrective_actions': ['Enhanced monitoring of '
'phishing domains',
'AWS CloudTrail log reviews '
'for suspicious activity',
'User education on phishing '
'risks'],
'root_causes': ['Sophisticated AiTM phishing kit '
'with real-time credential relay',
'Targeted reconnaissance to verify '
'victim emails',
'Use of trusted email platforms '
'(SendGrid, Nimbu) to bypass '
'filters']},
'recommendations': ['Monitor DNS queries to known phishing domains',
'Review AWS CloudTrail logs for suspicious ConsoleLogin '
'events following phishing site access',
'Implement additional authentication layers beyond MFA',
'Educate users on recognizing phishing attempts, '
'especially those impersonating trusted services'],
'references': [{'source': 'Datadog Security Labs'}],
'response': {'enhanced_monitoring': 'AWS CloudTrail log review for '
'phishing-related access',
'remediation_measures': 'Monitoring DNS queries to phishing '
'domains, reviewing AWS CloudTrail logs '
'for suspicious ConsoleLogin events',
'third_party_assistance': 'Datadog Security Labs'},
'title': 'New AiTM Phishing Kit Targets AWS Users in Real-Time Credential '
'Theft',
'type': 'Phishing',
'vulnerability_exploited': 'Real-time credential relay, MFA bypass'}