Cybercriminals are increasingly using trusted cloud platforms to launch phishing attacks, posing a sophisticated new challenge for enterprise security teams. Threat actors now host their malicious infrastructure on reputable services like Microsoft Azure Blob Storage, Google Firebase, and AWS CloudFront rather than on dubious newly registered domains. Because of this tactical change, attackers can conceal themselves behind the reputations of reputable tech companies, making it much harder for conventional security tools to detect them.

Learn more about software Software for data security VPN services Evaluation of cybersecurity vulnerabilities Plugin for WordPress security Managers of passwords Network of Zero Trust Obtain solutions Apps for secure messaging Subscription to cybersecurity news Training in security awareness These campaigns are a deliberate attempt to compromise business systems and steal sensitive enterprise credentials, specifically targeting corporate users instead of personal email accounts.

Usually, the attacks start with convincing phishing emails that contain links or QR codes that reroute victims using a variety of evasion strategies. In order to get around automated security scanners and static analysis systems, many campaigns use CAPTCHA challenges and intricate redirect chains. Any.While keeping an eye on phishing kit infrastructure throughout international security operations centers, run analysts noticed this expanding trend.

Adversary-in-the-Middle (AiTM) phishing kits, which cast attackers as undetectable middlemen between victims and trustworthy authentication services, are used in the most dangerous campaigns, according to their research. Even when victims employ multi-factor authentication protection, this method allows hackers to intercept credentials and session tokens in real-time. Phishing assault (Source: Any.Run) Tycoon2FA, Sneaky2FA, and EvilProxy are the three most common phishing kits responsible for these enterprise-targeted attacks.

These advanced toolkits are made available as Phishing-as-a-Service platforms, enabling less skilled criminals to use sophisticated attack capabilities. Security researchers found that Tycoon2FA campaigns alone have resulted in over 64,000 reported incidents, with US and European organizations experiencing these attacks on a daily basis. This information was gathered from a malicious Tycoon2FA sample on a legitimate Microsoft Blob Storage domain (Source: Any.Run).

Difficulties in Detection and Security Consequences These cloud-hosted threats have rendered traditional security indicators unreliable. Because the hosting domains are intrinsically trusted, traditional detection techniques are ineffective when phishing pages are hosted on authentic Google or Microsoft infrastructure.

TLS fingerprints, SSL certificates, and POST requests used by attackers to obtain the password (Source: Any.Run) are no longer useful markers of malicious activity because they are all owned by trustworthy cloud service providers. For security teams, Cloudflare infrastructure poses unique challenges. Because the CDN service conceals the true origin server behind its own IP addresses, it is practically impossible to locate or stop the malicious infrastructure that lies beneath.

After entering the password, the error message "Wrong password" appears (Source – Any.Run). In order to preserve operational continuity without having to rebuild their infrastructure, attackers only need to register a new malicious domain and conceal it behind Cloudflare within minutes after defenders successfully take down the first one. To identify these sophisticated phishing campaigns, organizations should use behavioral analysis tools in conjunction with ongoing threat intelligence monitoring.

Security analysts can safely navigate attack chains and observe malicious behavior in isolated environments with interactive sandboxing solutions. This allows them to see the final credential theft pages that static security tools completely miss.