Enterprise cloud platforms abused to host phishing kits

Attackers are embedding phishing infrastructure in trusted cloud services to avoid detection and steal enterprise credentials.

What happened

Threat actors are abusing legitimate cloud and content delivery network services such as Microsoft Azure, Google Firebase, Amazon Web Services, and Cloudflare to host advanced phishing toolkits that specifically target enterprise users. According to Hackread, the campaigns rely on adversary in the middle phishing kits that act as proxies between victims and real services, allowing attackers to steal credentials and bypass multifactor authentication. Hosting malicious infrastructure on trusted cloud platforms gives attackers access to valid IP addresses, HTTPS certificates, and TLS fingerprints, reducing the effectiveness of traditional security controls. The activity has been linked to widely used phishing kits, including Tycoon2FA, Sneaky2FA, and EvilProxy, which selectively filter for corporate email domains and execute multi-stage attack chains that result in session hijacking and credential theft.

Going deeper

Cloud-hosted phishing infrastructure makes credential theft harder to spot because attackers no longer rely on obviously suspicious systems. When phishing kits are hosted on major cloud platforms, signals like unfamiliar IP addresses or newly registered domains lose much of their value. Many campaigns also filter traffic to target only corporate email accounts, bypassing personal inboxes and increasing the chance that messages reach staff with real system access. To avoid detection, these kits often use CAPTCHAs, multiple redirects, and other techniques that block automated scanning tools.

What was said

Researchers cited by CyberPress, who analyzed multiple samples in sandbox environments, said the phishing kits “act as proxies between victims and real services, stealing credentials and bypassing MFA,” and noted that hosting infrastructure on trusted cloud platforms allows attackers to “hide in plain sight” while avoiding many conventional detection controls. The observations were published as part of an analysis of cloud-hosted adversaries in the middle of phishing campaigns in early 2026. No public statements from Microsoft, Google, Amazon, or Cloudflare were included in the disclosure.

In the know

Cyber Press reported that threat actors linked to Chinese hosting infrastructure operated more than 18,000 active command-and-control servers across 48 cloud and hosting providers. Command and control servers are systems that attackers use to remotely manage compromised devices and receive stolen data. Much of this infrastructure operates inside the same cloud platforms organizations rely on for email, identity systems, and business applications. The overlap allows phishing kits to run through trusted cloud services to proxy logins, maintain user sessions, and relay stolen credentials in real time. Because the malicious activity originates from legitimate cloud environments, traditional defenses that block suspicious domains or IP addresses become less effective, shifting detection toward monitoring login behavior and session activity instead of the traffic source.

The big picture

Researchers say attackers are hiding phishing tools inside trusted cloud platforms, a tactic Paubox describes as “inherited trust” abuse, where criminals misuse reputable services so malicious emails appear safe by default. In its report, The top 3 healthcare email attacks in 2025, Paubox explains that attackers now rely on legitimate cloud infrastructure, including Google-hosted services, to send fraudulent messages from high-reputation internet addresses with valid security certificates, making them harder for traditional rule-based email filters to detect. Hoala Greevy, CEO of Paubox, described the shift as “deception at scale,” meaning phishing has moved from small scams to organized campaigns that imitate trusted brands and exploit human behavior. To address these adversary-in-the-middle attacks where attackers secretly position themselves between sender and recipient to manipulate communication, Paubox’s ExecProtect+ uses AI-driven detection to spot unusual sender behavior and block phishing emails before they reach staff inboxes, reducing reliance on employees, who currently report only about 5% of phishing attempts.

FAQs

Why are attackers using legitimate cloud platforms instead of traditional phishing domains?

Cloud platforms provide trusted certificates, stable infrastructure, and reputational cover, making malicious activity harder to block without disrupting legitimate business traffic.

What is an adversary in the middle phishing kit?

An adversary in the middle kit operates as a proxy between a user and a real service, capturing credentials and authentication tokens during login attempts and enabling multifactor authentication bypass.

Why are enterprise accounts targeted more heavily than consumer accounts?

Corporate accounts often provide access to sensitive data, internal systems, and privileged resources, increasing the value of a successful compromise.

How does cloud abuse affect traditional security controls?

Blocking IPs or domains becomes impractical when infrastructure belongs to major providers, requiring defenders to rely more on behavioral signals and authentication monitoring.

What steps can organizations take to reduce exposure?

Organizations can monitor cloud subdomains for abuse, deploy interactive sandboxing, enrich alerts with behavioral indicators, and train security teams to recognize adversary in the middle attack patterns.