Enterprise security teams are facing a sophisticated new challenge as cybercriminals increasingly exploit trusted cloud platforms to launch phishing attacks.
Instead of relying on suspicious newly registered domains, threat actors now host their malicious infrastructure on legitimate services like Microsoft Azure Blob Storage, Google Firebase, and AWS CloudFront.
This strategic shift allows attackers to hide behind the reputation of trusted technology giants, making detection significantly more difficult for traditional security tools.
These campaigns specifically target corporate users rather than personal email accounts, representing a calculated effort to compromise business systems and steal sensitive enterprise credentials.
The attacks typically begin with convincing phishing emails containing links or QR codes that redirect victims through multiple layers of evasion techniques.
Many campaigns incorporate CAPTCHA challenges and complex redirect chains designed to bypass automated security scanners and static analysis systems.
Any.Run analysts identified this growing trend while monitoring phishing kit infrastructure across global security operations centers.
Their research revealed that the most dangerous campaigns employ Adversary-in-the-Middle (AiTM) phishing kits, which position attackers as invisible proxies between victims and legitimate authentication services.
This technique enables criminals to intercept credentials and session tokens in real-time, even when victims use multi-factor authentication protection.
.webp)
The three most prevalent phishing kits driving these enterprise-targeted attacks are Tycoon2FA, Sneaky2FA, and EvilProxy.
These sophisticated toolsets are distributed as Phishing-as-a-Service platforms, making advanced attack capabilities accessible to less technical criminals.
.webp)
Security researchers discovered that Tycoon2FA campaigns alone have generated over 64,000 reported incidents, with US and European organizations encountering these attacks multiple times daily.
Detection Challenges and Security Implications
Traditional security indicators have become unreliable against these cloud-hosted threats.
When phishing pages reside on legitimate Microsoft or Google infrastructure, conventional detection methods fail because the hosting domains are inherently trusted.
.webp)
IP addresses, TLS fingerprints, and SSL certificates no longer provide meaningful indicators of malicious activity, since they all belong to legitimate cloud service providers.
Cloudflare infrastructure presents particular challenges for security teams. The CDN service hides the actual origin server behind its own IP addresses, making it nearly impossible to identify or block the underlying malicious infrastructure.
.webp)
If defenders successfully take down one malicious domain, attackers simply register another and hide it behind Cloudflare within minutes, maintaining operational continuity without rebuilding their infrastructure.
Organizations should implement continuous threat intelligence monitoring combined with behavioral analysis capabilities to detect these advanced phishing campaigns.
Interactive sandboxing solutions enable security analysts to safely navigate through attack chains and observe malicious behavior in isolated environments, revealing the final credential theft pages that static security tools miss entirely.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
