Targeted AWS Phishing Campaign Captures Credentials and MFA Codes

A sophisticated phishing campaign targeting Amazon Web Services (AWS) users has emerged, utilizing cloned login pages to capture credentials and multifactor authentication (MFA) codes in real-time. The attackers have focused on nearly fifty specific targets, primarily software engineers in the U.S., and have been active since mid-2025. The phishing emails impersonate AWS technical support, prompting users to click on malicious links that lead to fake login pages. Once victims enter their credentials, the attackers intercept MFA codes, allowing them to hijack active sessions. The phishing infrastructure leverages legitimate email services and Cloudflare to evade detection. Researchers have identified several domains used in this campaign that mimic official AWS services, marking them as indicators of compromise. This targeted approach indicates a highly selective operation rather than a broad attack. The campaign's sophistication raises significant concerns for AWS users and organizations relying on cloud services.

Key Points: • Phishing campaign targets AWS users, capturing credentials and MFA codes in real-time. • Attackers impersonate AWS support in emails, leading victims to cloned login pages. • Infrastructure utilizes legitimate services like Cloudflare to bypass detection.