New AiTM Phishing Kit Targets AWS Users in Real-Time Credential Theft A sophisticated phishing campaign targeting Amazon Web Services (AWS) users emerged between June 19 and 23, 2026, leveraging an adversary-in-the-middle (AiTM) technique to steal login credentials and multi-factor authentication (MFA) codes in real time. Unlike traditional phishing tools that capture data for later use, this kit intercepts and relays credentials instantly, allowing attackers to access victims’ AWS consoles before they detect the breach rendering MFA protections ineffective. Researchers at Datadog Security Labs uncovered the operation, identifying three phishing domains registered within a 24-hour window via NICENIC INTERNATIONAL GROUP CO., LIMITED and hosted on Cloudflare. The domains served near-identical clones of the AWS login page, designed to evade detection. Attackers distributed phishing emails through trusted platforms like SendGrid and Nimbu, bypassing email authentication filters. The messages impersonated AWS Support, citing a fabricated "bandwidth throttling" issue to create urgency and prompt quick clicks. The campaign stood out for its precision targeting: the phishing kit only displayed the fake login page for pre-verified email addresses, with fewer than 50 victims identified primarily software engineers and engineering leaders in the U.S. The attack relied on a JavaScript-based relay embedded in the phishing page, which validated victims against an encrypted URL parameter before rendering the login form. This mechanism also blocked security sandboxes from analyzing the page’s behavior. Once credentials were entered, the kit forwarded them to the attacker’s server, which relayed them to the legitimate AWS site in real time. The server dynamically determined the MFA challenge type (SMS, email, or TOTP) by interacting with AWS, then captured and replayed the victim’s session before it expired. This live relay distinguishes AiTM attacks from conventional phishing, significantly increasing their success rate. The investigation revealed ties to a broader phishing operation, with three additional domains impersonating SendGrid registered through the same registrar. The kit’s infrastructure including a React-based app structure, encrypted email gating, and MFA support matched earlier campaigns dating back to July 2023, including attacks on cryptocurrency wallets and Salesforce logins. A shared input_24 URL parameter served as a fingerprint linking these incidents to the same threat actor. Security teams can detect potential breaches by monitoring DNS queries to the known phishing domains and reviewing AWS CloudTrail logs for ConsoleLogin events following interactions with those domains. A successful login immediately after phishing site access strongly indicates session hijacking. The campaign underscores the growing threat of real-time AiTM attacks against cloud services, particularly when combined with social engineering and targeted reconnaissance.