What happened
Threat actors are increasingly exploiting legitimate cloud and content delivery platforms for phishing campaigns targeting enterprise users. Any.Run researchers identified multiple phishing kit families operating on platforms such as Microsoft Azure Blob Storage, Firebase Cloud Storage, and Google Sites, including the Tycoon and Sneaky2FA kits. These kits used trusted domains to deliver fake login pages for Microsoft 365 accounts, harvesting corporate credentials while bypassing traditional domain-based security filters. Another kit, EvilProxy, hosted on Google Sites, similarly impersonated enterprise services to trick users into providing sensitive authentication data. The research highlighted that the attacks avoid free email domains and specifically target corporate accounts, demonstrating a shift toward cloud-hosted phishing infrastructure that is difficult to detect.
Who is affected
Enterprise users and organizations relying on cloud platforms for email and collaboration services are directly impacted, with potential exposure to credential theft and session compromise.
Why CISOs should care
Using trusted cloud infrastructure for phishing campaigns enables attackers to bypass perimeter controls and traditional email defenses, increasing risk of credential compromise, lateral movement, and enterprise account takeover.
3 practical actions
- Monitor cloud-hosted phishing activity: Track suspicious content and login pages on Azure, Firebase, and Google Sites platforms.
- Educate enterprise users: Raise awareness about phishing hosted on legitimate cloud services.
- Enforce multi-factor authentication: Require phishing-resistant MFA to reduce the impact of credential theft.