Attackers Use AiTM Phishing Kit, Typosquatted Domains to Hijack AWS Accounts

The surge in cloud adoption has made AWS a prime target for sophisticated phishing operations. Unlike traditional credential‑stealing emails, the AiTM (Adversary‑in‑the‑Middle) approach creates a seamless illusion of legitimacy by acting as a live conduit between the victim and Amazon’s authentication service. This method not only captures static passwords but also intercepts one‑time MFA tokens, effectively neutralizing the additional security layer that many organizations rely on. By leveraging typosquatted domains that closely resemble official AWS URLs, attackers increase click‑through rates and reduce suspicion among cloud administrators.

Technical analysis reveals that the phishing kit is highly modular, allowing rapid domain registration and deployment to evade detection. Once a victim submits credentials, the proxy forwards the request to AWS, receives the authentication response, and simultaneously logs the data for the attacker. The observed 20‑minute window between credential capture and successful login suggests an automated pipeline that validates and exploits credentials almost instantly, possibly using scripted bots to test access against known AWS endpoints. The kit’s administrative panel, discovered across multiple domains, also supports impersonation of Microsoft 365 and Apple iCloud, indicating a broader, shared infrastructure among threat actors targeting high‑value SaaS platforms.

Mitigation requires a layered defense strategy. Organizations should enforce hardware‑based MFA, such as YubiKeys, which are resistant to real‑time interception. Continuous monitoring for anomalous login locations, especially from VPN exit nodes, can flag compromised accounts early. Email security solutions must be tuned to detect subtle variations in sender domains and subject lines that mimic official AWS communications. Finally, threat‑intelligence sharing about emerging phishing kits can accelerate takedown efforts and reduce the attack surface across the cloud ecosystem.