no
yes
root user
IAM
Victim clicks phishing link
Entry gate: /api/check + /api/me
input_24 param resolves target email
Valid email?
Blank page
AWS console sign-in clone
Root or IAM user?
/password
email + password
/iam
account + username + password
POST /api/login
server returns challenge type
Challenge type?
/email
email OTP
/sms
SMS code
/gauth
authenticator TOTP
POST /api/auth (OTP harvest)
AiTM relay validates codes against real AWS
AWS console session hijacked