“`html
Threat actors are progressively utilizing reliable cloud and content delivery network platforms to host phishing kits, resulting in significant detection difficulties for security teams.
In contrast to conventional phishing efforts that depend on newly registered suspicious domains, these assaults employ legitimate infrastructures from providers like Google, Microsoft Azure, and AWS CloudFront.
This method enables hackers to evade numerous security filters, as the domains seem credible at a cursory glance.
The transition towards cloud-based phishing infrastructure signifies a worrying shift in social engineering attacks.
Victims are confronted with familiar domain names from prominent tech firms, increasing the likelihood of them entering sensitive credentials.
Network monitoring tools also face challenges in flagging these actions since they observe regular HTML content loading from reputable cloud services instead of dubious traffic patterns.
This strategy specifically targets enterprise users across various campaigns, filtering out free email accounts to concentrate on corporate credentials.
Any.Run researchers recognized this escalating trend while examining numerous phishing kit families. The investigation uncovered that the Tycoon phishing kit operates from Microsoft Azure Blob Storage, specifically utilizing the domain alencure[.]blob[.]core[.]windows[.]net.
The Sneaky2FA phishing kit was discovered on Firebase Cloud Storage at firebasestorage[.]googleapis[.]com and AWS CloudFront at cloudfront[.]net, employing counterfeit Microsoft 365 login pages to gather corporate account credentials.
The EvilProxy phishing kit utilizes Google Sites at sites[.]google[.]com to host its malicious pages.
Detection and Response Challenges
Security teams confront distinct hurdles when addressing cloud-hosted phishing infrastructures.
Traditional domain reputation assessments fail because the hosting platforms are legitimate services utilized by numerous organizations for valid purposes.
Most security vendors categorize these cloud domains as safe, which is technically correct. The harmful activity resides in the content being delivered, not the infrastructure itself.
The answer necessitates behavioral analysis rather than simple domain checks. Security platforms must scrutinize how users engage with these cloud-hosted pages and detect suspicious patterns in real-time.
The Any.Run Sandbox exemplifies this capability by revealing these threats in under 60 seconds, decreasing both the mean time to detect and mean time to respond.
Organizations should employ threat intelligence lookups that specifically investigate abuse patterns on Microsoft Azure Blob Storage, Firebase Cloud Storage, and Google Sites platforms.
Associated indicators of compromise include mphdvh[.]icu, kamitore[.]com, aircosspascual[.]com, and Lustefea[.]my[.]id.
“`