"##technolo. com % 2f... the awstrack. me domain is a aws ses click - tracking domain. this has two benefits for the attacker : increasing the reputation of the link within the email and allowing for the tracking of their phishing campaign. the victim follows a multi - stage redir…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
90%
"behind the console : active phishing campaign targeting aws console credentials key points and observations - datadog security research identified an active adversary - in - the - middle ( aitm ) phishing campaign targeting aws console credentials. - the phishing kit proxies auth…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1583.001Domains
68%
"216 ) running the same administrative panel with associations to recently created domains attempting to impersonate m365 and apple : o365signin [. ] app o365login [. ] app o365singin [. ] com oauth - icloud [. ] com these domains are not currently live. however, the common admini…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
58%
"travel scenario - aws consolelogin without mfa triggered impossible travel scenario in addition to this, you can hunt in your own environment for indications of this activity : - consolelogin events from 178. 16. 54 [. ] 142 or69. 67. 172 [. ] 30 source : cloudtrail @ evt. name :…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
58%
"a compromised aws account within 20 minutes of credential submission. campaign overview all domains share registrar id 3254 ( cnobin information technology limited ). cluster 2 was registered and deployed on the same day we first observed it, indicating rapid infrastructure rotat…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1078.004Cloud Accounts
41%
"a compromised aws account within 20 minutes of credential submission. campaign overview all domains share registrar id 3254 ( cnobin information technology limited ). cluster 2 was registered and deployed on the same day we first observed it, indicating rapid infrastructure rotat…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1586.002Email Accounts
35%
"a compromised aws account within 20 minutes of credential submission. campaign overview all domains share registrar id 3254 ( cnobin information technology limited ). cluster 2 was registered and deployed on the same day we first observed it, indicating rapid infrastructure rotat…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Datadog Security Research identified an active adversary-in-the-middle (AiTM) phishing campaign targeting AWS Console credentials via typosquatted domains that mimic AWS infrastructure.