Hackers Abuse Legitimate Cloud and CDN Platforms to Host Phishing Kits

Cybersecurity researchers have identified a troubling trend in which sophisticated threat actors are leveraging legitimate cloud and content delivery network (CDN) infrastructure from major technology providers, including Microsoft Azure, Google Cloud, and AWS CloudFront, to host phishing kits while evading traditional security detection mechanisms.

The abuse of these trusted platforms creates significant blind spots for enterprise security teams, as network traffic appears legitimate at first glance while masking malicious intent.

Legitimate Infrastructure, Illegitimate Use

Security researchers tracking phishing campaigns have documented multiple phishing kits deployed across trusted cloud platforms, exploiting the inherent trust placed in infrastructure providers such as Microsoft, Google, and Cloudflare.

https://twitter.com/anyrun_app/status/2011756689024815184?ref_src=twsrc%5Etfw

By leveraging established cloud services rather than newly registered malicious domains, attackers bypass many signature-based detection systems that flag suspicious domain registrations.

These phishing operations have demonstrated sophisticated targeting, focusing on enterprise users and corporate accounts to maximize campaign effectiveness.

The identified campaigns include the Tycoon phishing kit hosted on Microsoft Azure Blob Storage (alencure.blob.core.windows.net), the Sneaky2FA variant leveraging Google Firebase Cloud Storage with selective filtering against free email domains, and EvilProxy infrastructure hosted on Google Sites.

Additional abuse has been documented across the AWS CloudFront infrastructure, enabling attackers to distribute phishing payloads via globally distributed, high-performance networks.

The Sneaky2FA campaign exemplifies the sophistication of these operations, specifically filtering incoming traffic to target corporate email accounts while rejecting free email domains.

Attackers accomplish this by deploying fake Microsoft 365 login interfaces that validate credentials against enterprise authentication patterns, increasing the likelihood of successful account compromise against high-value targets.

A critical vulnerability in current security approaches is that many vendors whitelist these domains as legitimate infrastructure providers.

While technically accurate, this blanket trust creates a detection gap.

Traditional perimeter security and email filtering solutions struggle to detect phishing content when it is delivered via trusted cloud infrastructure, because the network behavior appears normal and the traffic passes through legitimate providers.

Security teams cannot rely solely on domain reputation or signature-based detection to identify these threats.

Instead, effective detection requires behavioral analysis capabilities and network-level signal detection to identify phishing content regardless of the hosting infrastructure.

Dynamic analysis of network behavior, user interaction patterns, and payload examination reveals malicious intent that static domain reputation systems overlook.

Researchers note that sandbox-based threat intelligence platforms can expose these campaigns within minutes, significantly reducing mean time to detection (MTTD) and mean time to response (MTTR).

By analyzing actual payload behavior and network communications, security teams can identify phishing infrastructure hosted on legitimate platforms while still maintaining the ability to whitelist legitimate cloud services.

Several indicators of compromise (IOCs) associated with these campaigns have been identified, including mphdvh.icu, kamitore.com, aircosspascual.com, and Lustefea.my.id.

Security teams can search for related phishing infrastructure across multiple cloud platforms using threat intelligence platforms, pivoting from known IOCs to discover additional campaign infrastructure.

For organizations seeking to identify similar phishing activity, threat intelligence queries targeting specific platforms, such as searching for phishing-classified domains hosted on blob.core.windows.net, firebasestorage.googleapis.com, and sites.google.com, can reveal additional undiscovered campaigns.

This approach shifts the focus of detection from domain registration patterns to hosting infrastructure abuse patterns.

The continued evolution of phishing tactics demonstrates the necessity for layered security approaches that combine traditional perimeter controls with advanced behavioral analysis and network intelligence capabilities.

As threat actors continue exploiting trusted infrastructure, organizations must adopt detection strategies that account for this blind spot in conventional security architectures.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Hackers Abuse Legitimate Cloud and CDN Platforms to Host Phishing Kits appeared first on Cyber Security News.