Fake AWS pages bypass MFA and put cloud credentials in cybercriminals’ hands
Fake AWS pages bypass MFA and put cloud credentials in cybercriminals’ hands
Publish Date: 2026-06-26 01:05:00
Source Domain: www.escudodigital.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
A highly targeted phishing campaign has set its sights on Amazon Web Services (AWS) users by using cloned login pages capable of capturing credentials and multifactor authentication (MFA) codes in real-time.
According to security researchers, the attacks are designed to steal entire sessions rather than just extracting passwords.
The operation has been characterized by its high level of selectivity, with nearly fifty identified targets, mainly software engineers in the U.S.
The investigation indicates that the phishing infrastructure has been active since at least mid-2025 and that similar techniques have been used in previous campaigns against cryptocurrency wallets and Salesforce credentials.
Modus Operandi
The attackers have used phishing emails that mimic communications from AWS technical support. In them, victims are warned of supposed urgent issues, such as bandwidth limitations or support ticket incidents, prompting the user to click on a malicious link.
This link directs to a page that accurately reproduces the AWS login console. The aim is for the victim to enter their credentials without suspecting it is a fraudulent environment.
Upon entering the username and password, these are sent to the legitimate service in the background. At that moment, the platform requests the second authentication factor, such as an SMS code, an email, or an application token.
And this is where the cybercriminals do their work. The phishing system replicates the mentioned flow in real-time. Thus, when the victim enters the MFA code, the thieves intercept it and forward it to AWS before it expires, enabling them to hijack the active session.
In technical jargon, these types of attacks are known as ‘Adversary-in-the-Middle’ (AiTM), where the attacker acts as an intermediary between the user and the legitimate service without directly breaking the authentication mechanisms.
Many Tricks
To distribute the emails, threat actors have resorted to legitimate email sending services like SendGrid and Nimbu, allowing them to bypass traditional spam filters.
Additionally, the infrastructure has relied on services linked to Cloudflare, making it difficult to trace and block.
To make matters worse, the phishing page does not remain static but functions as a dynamic system designed to filter victims. When the user accesses the malicious link, the server checks a hidden parameter in the URL (input_24) that contains the victim’s encrypted email.
If the data matches the target list, the fake login page is displayed; if not, the system returns a blank screen to avoid security analysis. This indicates that we are talking about a highly targeted campaign, not a ‘shot in the dark.’
Furthermore, researchers have also identified several domains used in the campaign that mimic official AWS services, such as aws-us-west-login[.]com or aws-us-east-prod[.]com, among others. All of them have been classified as indicators of compromise.
A highly targeted phishing campaign has set its sights on Amazon Web Services (AWS) users by using cloned login pages capable of capturing credentials and multifactor authentication (MFA) codes in real-time.
According to security researchers, the attacks are designed to steal entire sessions rather than just extracting passwords.
The operation has been characterized by its high level of selectivity, with nearly fifty identified targets, mainly software engineers in the U.S.
The investigation indicates that the phishing infrastructure has been active since at least mid-2025 and that similar techniques have been used in previous campaigns against cryptocurrency wallets and Salesforce credentials.
Modus Operandi
The attackers have used phishing emails that mimic communications from AWS technical support. In them, victims are warned of supposed urgent issues, such as bandwidth limitations or support ticket incidents, prompting the user to click on a malicious link.
This link directs to a page that accurately reproduces the AWS login console. The aim is for the victim to enter their credentials without suspecting it is a fraudulent environment.
Upon entering the username and password, these are sent to the legitimate service in the background. At that moment, the platform requests the second authentication factor, such as an SMS code, an email, or an application token.
And this is where the cybercriminals do their work. The phishing system replicates the mentioned flow in real-time. Thus, when the victim enters the MFA code, the thieves intercept it and forward it to AWS before it expires, enabling them to hijack the active session.
In technical jargon, these types of attacks are known as ‘Adversary-in-the-Middle’ (AiTM), where the attacker acts as an intermediary between the user and the legitimate service without directly breaking the authentication mechanisms.
Many Tricks
To distribute the emails, threat actors have resorted to legitimate email sending services like SendGrid and Nimbu, allowing them to bypass traditional spam filters.
Additionally, the infrastructure has relied on services linked to Cloudflare, making it difficult to trace and block.
To make matters worse, the phishing page does not remain static but functions as a dynamic system designed to filter victims. When the user accesses the malicious link, the server checks a hidden parameter in the URL (input_24) that contains the victim’s encrypted email.
If the data matches the target list, the fake login page is displayed; if not, the system returns a blank screen to avoid security analysis. This indicates that we are talking about a highly targeted campaign, not a ‘shot in the dark.’
Furthermore, researchers have also identified several domains used in the campaign that mimic official AWS services, such as aws-us-west-login[.]com or aws-us-east-prod[.]com, among others. All of them have been classified as indicators of compromise.
Become a premium member for free!
