Signal

New phishing tactics exploit .arpa domain and AI-powered kits to target AWS accounts

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-03-10 02:14 UTCUpdated 2026-03-10 13:22 UTC

rss

phishingdnscloud_securityincident_response

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (2)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (2 domains)

2 top sources shown

Attackers use AiTM phishing kit, typosquatted domains to hijack AWS accounts

Help Net Security · News · helpnetsecurity.com · 2026-03-10 13:22 UTC

Hacker abusing .arpa domain to evade phishing detection, says Infoblox

CSO Online · News · csoonline.com · 2026-03-10 02:14 UTC

limited source diversity in top sources

View all evidence

Overview

Recent reports reveal sophisticated phishing techniques that evade detection by abusing the .arpa top-level domain and using AI-in-the-middle (AiTM) phishing kits.

Entities

InfobloxHurricane ElectricCloudflareDatadogAWSDave Mitchell

Score total

0.97

Momentum 24h

Posts

Origins

Source types

Duplicate ratio

Why now

The .arpa domain abuse was recently discovered and is actively exploited against major providers.
The AI-powered AWS phishing campaign has been ongoing since at least late February, with rapid account takeovers.
Heightened phishing sophistication demands updated defenses and awareness immediately.

Why it matters

Phishing tactics are evolving to exploit internet infrastructure and AI, increasing evasion success.
Cloud account compromises can lead to significant data breaches and operational disruptions.
Early detection and mitigation of these advanced phishing methods are critical for security teams.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: medium

Recurring claims

Threat actors abuse the .arpa domain by creating unauthorized A records to host phishing content, evading detection.
Phishers use AI-in-the-middle phishing kits and typosquatted domains to hijack AWS accounts via cloned login pages.

How sources frame it

Infoblox Report: neutral
Datadog Security Labs: neutral

All evidence

Attackers use AiTM phishing kit, typosquatted domains to hijack AWS accounts

Help Net Security · helpnetsecurity.com · 2026-03-10 13:22 UTC

Hacker abusing .arpa domain to evade phishing detection, says Infoblox

CSO Online · csoonline.com · 2026-03-10 02:14 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 2 / 0

Top publishers (this list)

Help Net Security (1)
CSO Online (1)

Top origin domains (this list)

helpnetsecurity.com (1)
csoonline.com (1)