Behind the console: Active phishing campaign targeting AWS console credentials

Datadog Security Research reports an active AiTM phishing campaign targeting AWS Console users via typosquatted domains (notably cloud-recovery.net and cloud-policy.com). The phishing kit functions as a transparent reverse proxy that forwards credentials to the legitimate AWS endpoint in real time—likely harvesting 2FA codes—and uses AWS SES tracking links, high-fidelity UI assets, and administrative panels (exposed on TCP 3000). Two infrastructure clusters were observed, multiple IoCs (domains and IPs) are provided, and Datadog observed attacker console access from a Mullvad VPN egress node within 20 minutes of credential submission; defenders are advised to monitor CloudTrail ConsoleLogin events, MFA anomalies, and DNS activity to the listed domains.