Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns
An investigation into phishing activity over the past months has surfaced a decisive structural evolution in how threat actors operate. The campaigns analysed no longer resemble the phishing most organizations trained their defenses to stop. There are no spoofed domains, no suspicious sender addresses, and in the most advanced cases, traditional indicators such as files, URLs, or network artifacts may be absent or significantly reduced. What replaced those classic indicators is something more difficult to confront: attackers conducting phishing operations entirely from infrastructure that organizations trust by design.
The platforms being weaponized are the same ones employees use everyday: cloud storage buckets, productivity suites, email workflow tools, OAuth authentication endpoints, and calendar APIs. Adversaries have realized that the fastest path past enterprise defenses is not to break through them, but to send mail from the inside. When an email originates from a legitimate Google or Microsoft system, passes every authentication check, resolves to a valid TLS-certified domain, and links to a page hosted on a whitelisted cloud service, every layer of the traditional security stack sees routine traffic.
The consequences are significant. Across the campaigns investigated, multi-factor authentication was bypassed without the attacker ever touching a password. In several cases, victim organizations had no anomalous event in their SIEM at the time of initial compromise, the attacker’s access token looked identical to the legitimate user’s. The first evidence of intrusion was discovered during post-incident review, sometimes weeks after the initial access event.
This report details the full attack chain observed, documents the case studies that define this threat category, maps the behavioural indicators that provide the only reliable detection surface, and provides actionable mitigations stratified by role.
Related Articles
