Threat Research

Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns – CYFIRMA

Cyfirma
Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns – CYFIRMA
The article describes Trusted Infrastructure Phishing (TIP), where attackers abuse legitimate cloud services like Microsoft 365, Google Workspace, Azure Blob Storage, and OAuth flows to make phishing traffic look like normal enterprise activity. It also details case studies and mitigations showing how techniques such as adversary-in-the-middle token theft, OAuth device code abuse, and blob-based in-memory payloads bypass traditional email, network, and MFA defenses. #Microsoft365 #GoogleWorkspace #AzureBlobStorage #OAuth #BlobPhish

Keypoints

  • TIP campaigns conduct delivery, hosting, execution, authentication, and persistence entirely through trusted cloud infrastructure.
  • Classic phishing indicators such as spoofed domains, malicious attachments, and suspicious sender addresses are often absent or greatly reduced.
  • Attackers abuse provider-owned mail systems, cloud storage, OAuth authentication, and SaaS APIs to blend into normal traffic.
  • Multi-factor authentication can be bypassed through adversary-in-the-middle proxying and OAuth 2.0 device code abuse without stealing passwords.
  • Some campaigns use browser-memory-only execution with Blob URLs, leaving little or no network-layer forensic evidence.
  • Post-compromise persistence often relies on inbox rules, token theft, and continued use of the victim’s cloud services.
  • Detection must focus on identity telemetry, browser behavior, OAuth events, and cloud API activity rather than perimeter signatures.

MITRE Techniques

  • [T1583.004] Acquire Infrastructure: Server – Attackers registered free-tier cloud accounts and used provider infrastructure to send phishing mail and host components (‘they registered a free-tier account and configured it to dispatch phishing emails through the provider’s own outbound mail infrastructure’).
  • [T1584] Compromise Infrastructure – A compromised government website was used as part of spear-phishing delivery and trusted infrastructure abuse (‘spear-phishing delivery through a compromised government website’).
  • [T1566.001] Phishing: Spear phishing Attachment – Victims received QR codes embedded in PDF attachments as lure delivery (‘a QR code embedded in a PDF attachment’).
  • [T1566.002] Phishing: Spear phishing Link – Victims were directed through links to cloud-hosted phishing pages and intermediary services (‘a link to an apparently benign intermediary’).
  • [T1059.007] Command and Scripting Interpreter: JavaScript – A minimal JavaScript loader decoded and rendered a phishing page in memory (‘The loader uses standard browser APIs to Base64-decode a bundled HTML payload’).
  • [T1027] Obfuscated Files or Information – The attack chain hid content through encoded payloads, blob navigation, and layered redirects (‘Base64-decode a bundled HTML payload’, ‘layered: a legitimate form submission service resolved to a Blob-hosted redirect’).
  • [T1078.004] Valid Accounts: Cloud Accounts – Threat actors relied on legitimate cloud identities, tokens, and signed-in sessions (‘the attacker’s access token looked identical to the legitimate user’s’).
  • [T1556] Modify Authentication Process – Adversary-in-the-middle proxying intercepted real authentication flows and session cookies (‘A reverse proxy is positioned between the victim and the legitimate authentication endpoint’).
  • [T1528] Steal Application Access Token – OAuth device code abuse and session theft were used to obtain persistent access tokens (‘the victim’s authentication at that portal issues a valid access and refresh token directly to the attacker’s registered application’).
  • [T1557] Adversary-in-the-Middle – The proxy relayed a genuine MFA login and captured the resulting session cookie (‘The victim completes a genuine MFA-verified sign-in. The proxy captures the resulting session cookie’).
  • [T1114.003] Email Collection: Email Forwarding Rule – Attackers created forwarding and silent deletion rules for persistence (‘the attacker created inbox rules within minutes of obtaining access’).
  • [T1119] Automated Collection – The campaign used automated workflows and scripted interaction to gather user information (‘automated platform notifications’, ‘interaction pipeline’).
  • [T1102] Web Service – Command-and-control and phishing workflows were embedded in legitimate cloud and SaaS services (‘legitimate consumer calendar API calls’).
  • [T1567] Exfiltration Over Web Service – Data and operational telemetry were exposed through cloud services and APIs (’embedding operational instructions inside routine API calls’).

Indicators of Compromise

  • [URL Pattern] Browser navigation telemetry for in-memory phishing pages – blob:https://*
  • [Redirect Chain] Cloud-hosted phishing delivery path – forms.office.com → *.blob.core.windows.net
  • [OAuth Endpoint] Device code token abuse – POST /oauth2/v2.0/token with grant_type=device_code
  • [HTTP Request] Suspicious SharePoint editing request from outside expected scope – POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit
  • [IP Address] Backend environment and malicious infrastructure – 20.44.241.109, 107.191.58.76, and 2 more IPs
  • [IP Address] Microsoft cloud edge nodes seen in redirect chains – 13.107.246.38, 13.107.213.38
  • [Cloud Storage / Hosting] Public cloud object storage used for phishing stages – Azure Blob Storage containers, OneDrive-hosted HTML documents
  • [Domain / Service] Legitimate provider services abused for lure delivery and hosting – SharePoint links, Microsoft 365 / forms.office.com
  • [File / Attachment] Lure delivery artifacts – PDF attachment with QR code, JavaScript loader

Read more: https://www.cyfirma.com/research/abuse-of-cloud-native-infrastructure-in-modern-phishing-campaigns/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint