Threat actors are increasingly using trusted cloud and content delivery network platforms to host phishing kits, creating major detection challenges for security teams.
Unlike traditional phishing campaigns that rely on newly registered suspicious domains, these attacks use legitimate infrastructure from providers like Google, Microsoft Azure, and AWS CloudFront.
This approach allows hackers to bypass many security filters because the domains appear trustworthy at first glance.
The shift toward cloud-based phishing infrastructure represents a concerning evolution in social engineering attacks.
Victims encounter familiar domain names from well-known technology companies, making them more likely to enter sensitive credentials.
Network monitoring tools also struggle to flag these activities since they see ordinary HTML content loading from established cloud services rather than suspicious traffic patterns.
This technique specifically targets enterprise users in several campaigns, filtering out free email accounts to focus on corporate credentials.
Any.Run researchers identified this growing pattern while analyzing multiple phishing kit families. The analysis revealed that Tycoon phishing kit operates from Microsoft Azure Blob Storage, specifically using the domain alencure[.]blob[.]core[.]windows[.]net.
Sneaky2FA phishing kit was found on Firebase Cloud Storage at firebasestorage[.]googleapis[.]com and AWS CloudFront at cloudfront[.]net, using fake Microsoft 365 login pages to harvest corporate account credentials.
EvilProxy phishing kit leverages Google Sites at sites[.]google[.]com to host its malicious pages.
Detection and Response Challenges
Security teams face unique obstacles when dealing with cloud-hosted phishing infrastructure.
Traditional domain reputation checks fail because the hosting platforms themselves are legitimate services used by countless organizations for valid purposes.
Most security vendors classify these cloud domains as safe, which is technically accurate. The malicious activity exists in the content being served, not the infrastructure itself.
The solution requires behavioral analysis rather than simple domain checks. Security platforms need to examine how users interact with these cloud-hosted pages and identify suspicious patterns in real-time.
Any.Run Sandbox demonstrates this capability by exposing these threats in under 60 seconds, reducing both mean time to detect and mean time to respond.
Organizations should implement threat intelligence lookups that specifically search for abuse patterns on Microsoft Azure Blob Storage, Firebase Cloud Storage, and Google Sites platforms.
Related indicators of compromise include mphdvh[.]icu, kamitore[.]com, aircosspascual[.]com, and Lustefea[.]my[.]id.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
