This campaign is a sophisticated adversary-in-the-middle phishing attack targeting AWS console users by impersonating AWS login pages hosted on newly registered domains via Cloudflare. It captures AWS credentials and real-time MFA codes delivered through email, SMS, and authenticator apps. The phishing emails are sent through trusted platforms such as SendGrid and Nimbu to bypass spam filters. The kit uses JavaScript-based credential harvesting and validates victims through encrypted URL parameters to prevent sandbox analysis. The campaign is highly selective, focusing on a curated list of fewer than 50 US-based software engineers and engineering leadership, rather than mass phishing. It is linked to concurrent SendGrid impersonation campaigns and has a history of targeting cryptocurrency wallets since mid-2025.

Successful exploitation results in theft of AWS console credentials and real-time multi-factor authentication codes, potentially allowing attackers unauthorized access to AWS accounts of targeted individuals. This can lead to compromise of cloud resources and sensitive data. The campaign's use of legitimate email delivery platforms and sophisticated evasion techniques increases the likelihood of successful credential harvesting from high-value technical personnel.

No official patch or fix applies as this is a phishing campaign. Organizations should educate targeted users about this specific phishing technique and the associated domains (e.g., loginportal-aws.com, aws-central.us-west-login.com, aws.us-east-prod.com, aws.us-west-login.com). Monitoring for these domains and blocking them at network or email gateway levels is recommended. Users should verify URLs carefully before entering credentials and use additional security controls such as hardware MFA tokens. Since the campaign is highly targeted and uses legitimate email services, heightened awareness and user training are critical.