Behind the console: An AiTM phishing kit harvesting AWS console credentials and beyond
ID: 3b39c26c-aafd-5c41-9faf-1977e304769f
STIX ID: report--3b39c26c-aafd-5c41-9faf-1977e304769f
Feed Name: Datadog Security Labs
Datadog Security Research observed a targeted AWS console phishing campaign (June 16–19, 2026) using Cloudflare-hosted domains and an AiTM phishing kit that harvests credentials and real-time MFA (email, SMS, TOTP). The report lists six malicious domains (three impersonating AWS, three impersonating SendGrid), describes the phishing kit's gating and API flows, includes a likely delivery artifact from VirusTotal, and provides hunting queries and guidance to check DNS activity and AWS CloudTrail ConsoleLogin events.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
