{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/aitm-phishing/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Management Console","AWS IAM","AWS CloudTrail"],"_cs_severities":["medium"],"_cs_tags":["cloud","identity","aws","initial-access","credential-access","aitm-phishing","session-theft","impossible-travel"],"_cs_type":"advisory","_cs_vendors":["Amazon Web Services"],"content_html":"\u003cp\u003eAdversaries are actively employing adversary-in-the-middle (AiTM) phishing and session theft techniques to compromise AWS IAM user accounts. This threat is characterized by a single IAM user successfully authenticating to the AWS Management Console from two or more geographically distinct countries within a brief timeframe, a physically impossible scenario. This behavior is a strong indicator of compromise, even when multi-factor authentication (MFA) appears satisfied, as AiTM proxies effectively relay the live MFA challenge from the legitimate user to the AWS login page. The attacker then uses the captured session or credentials to log in from their own infrastructure, leading to the divergent geolocation pattern. This technique poses a significant risk to AWS environments by providing unauthorized access to cloud resources, potentially leading to data exfiltration, resource manipulation, or further lateral movement within the compromised cloud infrastructure. This detection mechanism serves as a crucial CloudTrail-native analog to identity-provider impossible-travel alerts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Phishing)\u003c/strong\u003e: The adversary initiates a phishing campaign, often through highly convincing emails targeting AWS IAM users, to entice them to visit a malicious website controlled by the attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAiTM Infrastructure Deployment\u003c/strong\u003e: The attacker sets up an adversary-in-the-middle (AiTM) proxy server, which acts as an intermediary between the victim's browser and the legitimate AWS Management Console login page.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential and Session Theft\u003c/strong\u003e: When the victim attempts to log into AWS through the phishing site, the AiTM proxy relays their entered credentials (username, password) and any MFA responses to the legitimate AWS login page. Simultaneously, the proxy captures the session cookies returned by AWS.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConcurrent Session Establishment\u003c/strong\u003e: As the legitimate user successfully logs in from their actual geographic location, the attacker immediately uses the captured session cookies or credentials to establish a separate, concurrent login session to the AWS Management Console from their own geographically distinct infrastructure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence and Privilege Escalation\u003c/strong\u003e: Once inside, the attacker may modify the compromised IAM user's policies, create new access keys (\u003ccode\u003eCreateAccessKey\u003c/code\u003e), or alter login profiles to maintain persistence and potentially elevate privileges within the AWS environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (Data Exfiltration / Resource Manipulation)\u003c/strong\u003e: The attacker then leverages the unauthorized access to exfiltrate sensitive data from S3 buckets, deploy unauthorized compute resources (e.g., EC2 instances for cryptocurrency mining), or disrupt critical cloud services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful AiTM attack leading to impossible travel on AWS can result in severe consequences. Attackers gain full control over the compromised IAM user's permissions, enabling actions such as creating new access keys, modifying existing user policies to grant broader access, or even altering MFA configurations. This unauthorized access allows for direct data exfiltration from services like S3, deployment of malicious resources for illicit activities (e.g., launching EC2 instances for botnets or crypto mining), and disruption of business-critical cloud infrastructure. The ability to bypass MFA by relaying challenges makes this a particularly insidious threat, leading to significant financial loss, reputational damage, and potential compliance violations for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the detection logic described in this brief to your SIEM, leveraging \u003ccode\u003eAWS CloudTrail\u003c/code\u003e logs for \u003ccode\u003esignin.amazonaws.com\u003c/code\u003e events.\u003c/li\u003e\n\u003cli\u003eReview detections for \u003ccode\u003eEsql.source_geo_country_iso_code_values\u003c/code\u003e and \u003ccode\u003eEsql.source_ip_values\u003c/code\u003e to identify the origin of suspicious logins and verify against expected user activity.\u003c/li\u003e\n\u003cli\u003eInvestigate \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e for any suspicious hands-on-keyboard activities immediately following impossible travel alerts, such as \u003ccode\u003eCreateAccessKey\u003c/code\u003e events, changes to login profiles, or IAM policy modifications.\u003c/li\u003e\n\u003cli\u003eFor confirmed compromises, revoke the affected user's console sessions, force a password reset, rotate access keys, and reconfigure MFA.\u003c/li\u003e\n\u003cli\u003eMigrate AWS Management Console access to AWS IAM Identity Center and enforce phishing-resistant MFA methods, such as FIDO2 security keys or passkeys, which are highly effective against AiTM relay attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T15:41:58Z","date_published":"2026-07-03T15:41:58Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-iam-impossible-travel/","summary":"Adversaries leverage adversary-in-the-middle (AiTM) phishing and session theft to compromise AWS IAM user credentials, leading to concurrent successful AWS Management Console logins from multiple distinct geographic locations, indicating account compromise and enabling unauthorized access to cloud resources despite MFA.","title":"AWS IAM User Console Login from Multiple Geolocations","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-iam-impossible-travel/"}],"language":"en","title":"CraftedSignal Threat Feed - Aitm-Phishing","version":"https://jsonfeed.org/version/1.1"}