AWS Console Alert: Real-Time “AiTM” Phishing Campaign Bypasses MFA with Rapid Precision
Ddos 
Phishing page | Image: Datadog Security Research
In a sophisticated escalation of cloud-targeting attacks, Datadog Security Research has uncovered an active adversary-in-the-middle (AiTM) phishing campaign specifically designed to harvest AWS Console credentials. Unlike traditional phishing that simply records passwords, this operation uses a real-time proxy to intercept one-time passwords (OTP) and session tokens, allowing attackers to breach accounts in under 20 minutes.
The campaign relies on a high-fidelity clone of the AWS Management Console sign-in page. The kit is so convincing that it even serves assets hosted on legitimate AWS CloudFront domains and uses identical UI framework stylesheets.
As the researchers at Datadog explain: “The phishing kit proxies authentication to the legitimate AWS sign-in endpoint in real time, validating credentials before redirecting victims and likely capturing one-time password (OTP) codes”.
Because the kit functions as a transparent reverse proxy, it forwards the victim’s input to the actual AWS endpoint immediately. If the user enters an MFA code, the attacker captures it and uses it to establish a valid session before the code expires.
The attackers are using typosquatted domains that mimic official AWS naming conventions to lower a user’s guard. Datadog identified several active clusters, with many domains registered and deployed on the same day—a sign of “rapid infrastructure rotation”.
| Cluster | Root Domain | Primary Purpose |
| Cluster 1 | cloud-recovery[.]net |
Credential harvesting and product spoofing |
| Cluster 2 | cloud-policy[.]com |
Real-time proxying and rapid deployment |
| Cluster 3 | cloud-recovery[.]us |
Related infrastructure (currently inactive) |
Attackers also spoofed subdomains to match AWS regions, such as us-east-1.console.aws.cloud-recovery[.]net, making the URL nearly indistinguishable from a genuine request.
The campaign often begins with a spoofed email (purportedly from noreply@security.aws) claiming that AWS Security Hub has detected “unusual cross-account IAM role assumption patterns”.
To increase the link’s perceived legitimacy, the attackers use AWS SES click-tracking domains (awstrack.me), which are often trusted by email filters. Once clicked, the victim is put through a multi-stage redirect before landing on the harvesting page.
The speed of this operation is its most dangerous feature. In one observed case, an attacker authenticated to a compromised account using a Mullvad VPN node just 20 minutes after the victim submitted their credentials. This suggests the presence of either an automated pipeline or an operator actively monitoring an administrative panel.
Datadog emphasizes that “this campaign does not exploit AWS vulnerabilities or abuse AWS infrastructure”. Instead, it exploits human trust.
To protect your AWS organization, security teams should:
- Enforce FIDO2/WebAuthn MFA: Unlike SMS or TOTP codes, hardware-based security keys are resistant to AiTM proxying.
- Monitor Egress Traffic: Look for connections to the identified typosquatted domains like cloud-recovery[.]net.
- Verify Service Alerts: Always navigate directly to the AWS Console via a trusted bookmark rather than clicking links in security alert emails.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
