Phishers are targeting AWS accounts holders with fake email security alerts and redirecting them to a high-fidelity clone of the AWS Management Console sign-in page, Datadog researchers have warned.

The cloned AWS phishing page (Source: Datadog Security Labs)

The campaign has been running since the end of February and possibly earlier. “In one observed case, the operator authenticated to a compromised AWS account within 20 minutes of credential submission,” the researchers noted.

Fake AWS security alert emails lure cloud administrators to phishing pages

The AWS Management Console is used by people who manage or interact with cloud resources in Amazon Web Services environments: cloud administratos, IT operation teams, DevOps engineers, security teams, and others.

According to Datadog, these users have been targeted with a spoofed “AWS Organization Security Email,” ostensibly sent by noreply@security[.]aws.

The fake AWS security alert email (Source: Datadog Security Labs)

The email warns about suspicious activity in their organization’s cloud environments, asks recipients to take action and directs them to a phishing page hosted on typosquatted domains, which are designed to appear legitimate by using names that resemble AWS-related services or internal cloud tools.

The adversary-in-the-middle (AitM) setup used in this campaign operates as a live proxy between victims and the legitimate AWS authentication service: authentication requests to AWS are relayed in real time, and the threat actor simultaneously capture credentials, authentication tokens, and likely multi-factor authentication (MFA) codes entered by the victims.

“Within 20 minutes of credential submission, the attacker authenticated to the AWS Console from 185.209.196[.]132, a Mullvad VPN egress node. This rapid turnaround suggests either an automated credential-testing pipeline triggered on submission, or an operator actively monitoring the admin panel and acting on new captures,” the researchers noted.

If attackers successfully gain access to an AWS console, the potential impact depends on the compromised account’s privileges. In high-permission environments, attackers could view sensitive data, modify cloud resources, deploy additional infrastructure, or create new identity and access management users to maintain persistence.

Shared phishing kit linked to AWS, M365, and Apple impersonation

The campaign relies entirely on social engineering and a rapidly rotated phishing infrastructure: several domains used in the campaign were registered shortly before being deployed, suggesting the operators are attempting to evade detection and takedowns.

Organizations are advised to monitor for unusual AWS login activity, enforce strong MFA protections such as hardware security keys, and educate users about phishing attempts impersonating cloud service alerts.

During their investigation, the researchers also identified two additional phishing kit servers exposing the same administrative panel used in this campaign.

These servers were linked to recently created domains designed to impersonate Microsoft 365 and Apple iCloud.

“These domains are not currently live. However, the common administrative panel could point towards a phishing kit that is shared among multiple actors,” the researchers added.

