{ "Event": { "analysis": "1", "date": "2026-05-07", "extends_uuid": "", "info": "[Threat Intel] Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns", "protected": false, "publish_timestamp": "1779546905", "published": true, "threat_level_id": "3", "timestamp": "1778952407", "uuid": "47aa313e-d63c-41b0-9e9b-37dc020ba38e", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#f9b12b", "local": false, "name": "misp-galaxy:producer=\"Cyfirma\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e96364", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Adversary-in-the-Middle - T1557\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#3909cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"", "relationship_type": "" }, { "colour": "#bce57a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#b9ca9e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Server - T1583.004\"", "relationship_type": "" }, { "colour": "#e556be", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Email Forwarding Rule - T1114.003\"", "relationship_type": "" }, { "colour": "#454726", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#08221e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Application Access Token - T1528\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#37c019", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Accounts - T1078.004\"", "relationship_type": "" }, { "colour": "#abbbbf", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Authentication Process - T1556\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#1b0068", "local": false, "name": "rectifyq:topic=\"cloud\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778497208", "to_ids": false, "type": "link", "uuid": "34a119bd-6f33-4072-969f-fe69536dea7d", "value": "https://www.cyfirma.com/research/abuse-of-cloud-native-infrastructure-in-modern-phishing-campaigns/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778497208", "to_ids": false, "type": "text", "uuid": "7ddac69f-3999-4e85-a386-9f1fbee87be4", "value": "An investigation has revealed a structural evolution in phishing operations where threat actors conduct entire campaigns through legitimate, enterprise-trusted cloud infrastructure rather than attacker-controlled systems. Adversaries weaponize platforms employees use daily, including cloud storage, productivity suites, and OAuth authentication endpoints. Attacks originate from legitimate Google or Microsoft systems, passing all authentication checks while linking to whitelisted cloud services. Multi-factor authentication is bypassed without touching passwords, and victim organizations show no anomalous SIEM events at compromise time. Campaigns employ five stages: delivery via provider-owned infrastructure, payload hosting on legitimate cloud storage, execution within browser memory using native APIs, credential theft through legitimate authentication flows, and persistent presence through licensed services. Detection requires behavioral analysis rather than traditional indicators, as attackers operate enti..." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778497208", "to_ids": false, "type": "text", "uuid": "dc5ddc0d-b61d-4141-a9c6-74f6c5e134e4", "value": "Name: Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns\nAuthor: AlienVault\nAdversary: \nTags: [\"mfa bypass\", \"trusted infrastructure abuse\", \"oauth token theft\", \"cloud-native phishing\", \"device code flow\", \"saas abuse\", \"credential harvesting\", \"browser memory execution\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1557\", \"T1059.007\", \"T1566.002\", \"T1566.001\", \"T1119\", \"T1567\", \"T1583.004\", \"T1114.003\", \"T1584\", \"T1102\", \"T1528\", \"T1027\", \"T1078.004\", \"T1556\"]\nIndustries: [\"Finance\", \"Manufacturing\", \"Government\", \"Technology\", \"Telecommunications\", \"Transportation\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778952173", "to_ids": true, "type": "ip-dst", "uuid": "4c417acc-a68b-40e3-b7bc-520d4c48bcb1", "value": "96.9.125.147", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778952194", "to_ids": true, "type": "ip-dst", "uuid": "f8cf57e8-7b24-4330-9c6f-294ab84e1ce4", "value": "107.191.58.76", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778952215", "to_ids": true, "type": "ip-dst", "uuid": "6d54c5da-6220-4b56-af2f-70d8956f7aab", "value": "104.238.159.149", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778952236", "to_ids": true, "type": "ip-dst", "uuid": "4c32fde4-d9a9-4103-a303-9305939a465a", "value": "20.44.241.109", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778952257", "to_ids": true, "type": "ip-dst", "uuid": "3ffe6911-c8dc-4f07-9b79-e32484f995ab", "value": "13.107.246.38", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778952278", "to_ids": true, "type": "ip-dst", "uuid": "4a77411e-683b-4318-a99c-4f03ee21e1ae", "value": "13.107.213.38", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }