What happened
Threat actors abused Google Cloud services to host phishing infrastructure, malware payloads, and command-and-control systems. Attackers used trusted cloud domains, including Cloud Storage, App Engine, and Cloud Functions, to evade reputation-based security controls. Malicious content hosted on cloud platforms appeared legitimate, increasing successful delivery to victims and complicating detection.
Who is affected
Organizations and users interacting with cloud-hosted content face indirect exposure, while enterprises may unknowingly connect to attacker-controlled cloud resources.
Why CISOs should care
Abuse of legitimate cloud platforms undermines traditional perimeter filtering and increases reliance on behavioral detection and threat intelligence.
3 practical actions
Inspect cloud-hosted traffic: Scan inbound links and downloads from cloud platforms.
Monitor outbound connections: Detect unusual communications with cloud-based C2 infrastructure.
Report abuse promptly: Coordinate with cloud providers to disrupt malicious hosting.