These days, trusted cloud platforms like Microsoft Azure, Google Firebase, AWS, and Cloudflare are used by threat actors to host malicious kits. This change circumvents conventional defenses and targets enterprise users. Attackers hide in plain sight by using legitimate infrastructure rather than dubious new domains.

Since TLS fingerprints, HTTPS certificates, and valid IPs no longer consistently identify threats, security teams must deal with severe visibility gaps. According to ANY.RUN data, these campaigns are dominated by AiTM (Adversary-in-the-Middle) kits. By stealing credentials and getting around MFA, they serve as stand-ins between victims and legitimate services. Emails entice users to CAPTCHA-protected pages with redirects by using links or QR codes.

Data theft results from this evading AV scanners. AiTM Kits and Cloud Abuse Tactics Top kits like Tycoon2FA, Sneaky2FA, and EvilProxy lead the pack.

They eliminate free emails like Gmail and Outlook and concentrate on business accounts. Within the ANY.RUN sandbox, a multi-stage attack was discovered (Source: any.run). Key Features of Phishing Kits Typical Hosts Enterprise Focus Tycoon2FA PhaaS for MFA circumvention; proxies login credentials Microsoft Azure Blob (such as *.blob.core.windows.net), Cloudflare High; quick expansion, observed several times a day in US/EU SOCs; Base64 corporate domain filter; Sneaky2FA AiTM for BEC AWS CloudFront and Google Firebase Strong; avoids private emails Executive takeovers using EvilProxy Reverse Proxy Cloudflare and Google domains aimed at leaders The appeal of Cloudflare is evident: In addition to resisting blocks and adding anti-analysis features like geo-fencing, User-Agent blocks, and Turnstile CAPTCHAs, it conceals the true origins of VPSs behind trusted ASNs.

JA3S fingerprints as IOCs are eliminated by TLS termination at the edge. Attackers quickly switch domains, which are still the last trustworthy lead.

Fast phishing attack detection is guaranteed by ANY.RUN's Interactive Sandbox (Source: any.run). Sandbox analyses show the chains. An Azure Blob Tycoon2FA sample simulates Microsoft 365 logins.

Credentials are entered by victims, and the attacker's servers receive encrypted data via POST requests. Proxies result in loops and session theft by returning "wrong password" errors. Similar to Firebase or CloudFront, Sneaky2FA targets businesses, even if niche kits like Cephas misuse Azure storage. Recently, trends exploded, with Azure Tycoon cases doubling in just one week.

TI Lookup terms such as threatName: "tycoon" AND domain name: "*.blob.core.windows.net" or dangerName: "phishing" AND destinationIpAsn: "cloudflarenet" reveal real-world instances. Problems with Detection and SOC Solutions Here, traditional IOCs fall short. Legitimate traffic is hit by IP blocks, and domain representatives lag. Businesses require ongoing TI and behavioral analysis.

Intelligence on Threats Lookup results for Cloudflare abuse by Tycoon threats (Source: any.run) ANY.RUN's interactive sandbox excels: Analysts explode in isolated virtual machines (VMs), avoiding evasions to reveal credential pages. TI Lookup reduces triage time by correlating alerts with data from 15,000 SOCs. Benefits include 30% fewer escalations, 94% faster triage, and 62.7% more threats detected.

ANY.RUN powers business impact (Source: any.run) Suggestions: Install interactive sandboxes to create full attack chains. For real-time phishing signs and trends, use TI feeds. Use behavioral IOCs to enhance alerts instead of static ones. Use queries to keep an eye on cloud subdomains, such as blob.core.windows.net.

Educate SOCs on cloud abuse and AiTM proxies. This makes cloud phishing commonplace and has a significant impact on businesses. SOCs around the world are empowered by proactive hunting using tools like ANY.RUN.