Real-Time AWS Phishing Campaign Targets Users via Cloudflare

A sophisticated phishing campaign has emerged, targeting Amazon Web Services (AWS) console users. This attack employs Cloudflare-hosted domains to deliver adversary-in-the-middle (AiTM) credential theft. The phishing kit mimics the AWS console sign-in page and captures both login credentials and multi-factor authentication (MFA) codes in real time. Unlike traditional phishing methods, this approach allows attackers to access victims' accounts immediately after they enter their credentials. The campaign is particularly concerning due to its ability to bypass MFA protections, which are commonly used to secure AWS accounts. The full scope of the attack, including the number of affected users, remains unclear. Security professionals are advised to remain vigilant and enhance their defenses against such tactics. The attack was reported on June 25, 2026, by multiple cybersecurity outlets.

Key Points: • Phishing campaign targets AWS users, leveraging Cloudflare-hosted domains. • Attackers capture credentials and MFA codes in real time, bypassing traditional defenses. • The full impact and number of affected users are currently unknown.