Abuse of Legitimate Cloud Services: The New Weapon in Cybercriminals’ Arsenal

Table of contents

Recent Post

Cybercriminals Abusing Legitimate Cloud Services
Abuse of Legitimate Cloud Services: The New Weapon in Cybercriminals’ Arsenal
Unified MDR Platforms: A Strategic Edge for MSSPs
Unified MDR Platforms: Unifying Detection, Response, and Resilience
Role of AI in Data Protection
The Evolving Role of AI in Data Protection
GISEC GLOBAL 2025 - Mapping the Future of Cybersecurity
GISEC Global 2025: Mapping the Future of Cybersecurity, One Strategic Shift at a Time
PCI P2PE v3.2 Released
PCI P2PE v3.2 Released – Here’s Everything You Need to Know About It

Author: Mohd Omer Published Date: July 7, 2025
Category: Blogs Tags:
Share:
Cybercriminals Abusing Legitimate Cloud Services

Attackers today aren’t just launching brute-force attempts or crafting custom malware, they’re getting smarter and more deceptive. Rather than relying solely on traditional methods, modern threat actors are increasingly abusing legitimate cloud services, the very platforms businesses and users trust daily, to deliver malware, exfiltrate data, and establish command-and-control (C2) channels.

This approach is especially dangerous because it allows attackers to blend into regular traffic, bypassing many conventional defenses organizations depend on.

What Does “Abuse of Legitimate Services” Really Mean?

This tactic involves leveraging widely well-known, trusted platforms, such as Google Drive, OneDrive, Dropbox, GitHub, Discord, Telegram, Notion, and Google Apps Script for malicious purposes. Here’s how these services are being weaponized:

  • Delivering malware payloads
  • Hosting phishing pages mimicking real login portals
  • Exfiltrating sensitive corporate data
  • Setting up stealthy C2 channels

Since these services are often whitelisted in enterprise environments, attackers can operate quietly without triggering alerts.

Real-World Examples: When Trust Backfires

1. Google Apps Script in Phishing Campaigns

MITRE ATT&CK:

T1566.002 – Spearphishing Link
T1071.001 – Web Protocols

Campaign Overview:

  • Cybercriminals have launched phishing campaigns that host fake login pages via Google Apps Script, taking advantage of the google[.]com domain to appear credible.
  • Victims are lured in through invoice-themed emails, and once they enter their credentials, the data is captured and they’re redirected to a real Microsoft login page.
  • This redirection trick reduces suspicion and can even bypass email security tools that trust Google’s domain.

2. APT41’s Use of Google Calendar for C2

MITRE ATT&CK:

  • T1102.002 – Web Service: Bidirectional Communication
  • T1095 – Non-Application Layer Protocol

Campaign Overview:

  • The notorious group APT41 developed malware named TOUGHPROGRESS, which utilizes Google Calendar for C2 operations. Infected machines create and poll calendar events that contain encrypted commands.
  • This tactic helps them hide communications within regular calendar sync traffic, another reminder that trust in a domain doesn’t mean safety.

3. CAPTCHA Spoofing for Malware Delivery

MITRE ATT&CK:

  • T1204.002 – User Execution: Malicious File
  • T1059.001 – PowerShell

Campaign Overview:

  • Some attackers now use fake CAPTCHA pages (like “Prove You Are Human”) to trick users into executing malicious PowerShell scripts.
  • These scripts, often fetched from GitHub or spoofed domains, install RATs like NetSupport, maintain persistence using the Windows registry, and communicate with C2 servers.

Associated Threat Groups: FIN7, STORM-0408, SocGholish

4. BoxedApp: A Legit Tool Turned Dangerous

MITRE ATT&CK:

T1027 – Obfuscated Files or Information
T1116 – Code Signing

Campaign Overview:

  • Commercial packer tools like BoxedApp are now being misused to obfuscate and distribute malware. It’s being used to pack both native and .NET payloads, including families like AsyncRAT, Agent Tesla, and LockBit, particularly in attacks targeting government and financial sectors.
  • With added tools like NSIXLoader and Kiteshield for Linux environments, detection becomes even harder due to deep obfuscation and behavior mimicking.

5. Cloud Services Leading Malware Distribution

  • Research shows cloud apps have surpassed traditional download methods in delivering malware. Platforms like Google Drive and OneDrive are now top vectors for malware distribution.
  • The shift happened rapidly during the pandemic when organizations rushed to adopt cloud tools, often overlooking security configurations. Emotet and similar groups exploited this window, embedding malware in cloud-shared documents and files.

Why These Tactics Are So Effective

TechniqueDescription
Trusted DomainsDomains like drive.google.com or cdn.discordapp.com are rarely blocked
HTTPS EncryptionMakes content inspection harder without full TLS decryption
MFA BypassAiTM phishing pages steal session tokens and bypass MFA via services like Notion or Forms
Cloud OverloadOverwhelmed cloud adoption post-COVID left gaps in monitoring & policy enforcement

Why These Attacks Work So Well

  • Trusted Domains: Services like drive.google.com or cdn.discordapp.com rarely raise alarms because they’re generally considered safe.
  • Encrypted Traffic: Most use HTTPS, making it hard for firewalls to inspect traffic without deep packet inspection (DPI).
  • Credential Theft and MFA Bypass: Hosting phishing portals on platforms like Google Forms or Notion allows attackers to run AiTM (Adversary-in-the-Middle) attacks that can steal session tokens and bypass MFA.

Defense Is Possible: Here’s How

To counter these stealthy threats, organizations must look beyond domain-based trust and focus on contextual detection. Here are some defensive strategies:

  1. Deploy a CASB (Cloud Access Security Broker): Monitor usage and data movement across sanctioned and unsanctioned services.
  2. Monitor DNS and URL patterns: Even for trusted domains, malicious content can hide behind familiar URLs.
  3. Track unusual data flows: Flag large uploads/downloads to or from cloud apps that deviate from typical behavior.
  4. Audit third-party app permissions: Especially in Microsoft 365 and Google Workspace. Look for risky or redundant app connections.
  5. Educate your teams: Train users to understand that even “trusted” platforms can be misused for phishing and malware delivery.

Final Thoughts

As cybercriminals grow bolder and more creative, they’re increasingly turning the tools we trust into their own arsenal. Security teams can no longer afford to rely solely on signatures or domain-based filters. We must analyze behavior, monitor context, and remain suspicious, even when the source seems familiar.

The next major breach won’t come from the dark web, it may come from your trusted cloud drive.

Enjoyed reading this blog? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

Related Posts

Unified MDR Platforms: A Strategic Edge for MSSPs

Unified MDR Platforms: Unifying Detection, Response, and Resilience

What are Indicators of Compromise (IoCs)

What Are Indicators of Compromise (IoCs)? Its Importance in Cybersecurity

SecAI at RSA 2025: AI-Driven Threat Investigation

SecAI at RSA 2025: AI-Driven Threat Investigation Takes Center Stage

What is Brand Monitoring

What is Brand Monitoring in Cyber Security? Guide for 2025

What is Incident Response

What is Incident Response? Plan, Process and Tools

What is Digital Forensics in Cybersecurity

What is Digital Forensics in Cybersecurity? Its Objective and Techniques

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.