Cloud Phishing: Modern Techniques and the Crown Jewel

Cloud Phishing: Modern Techniques and the Crown Jewel

With cloud computing, phishers now have got a new place to gather information and expand their businesses. But that’s not all. The effects are much bigger and more dangerous than that. No business, no matter how big or small, is safe from phishing attacks. So, it’s important to know how you could be targeted and what you can do to stop it.

Phishing based on SaaS is already well-known. For example, more than 90 percent of all data breaches are caused by phishing, including stolen passwords and malicious URLs. In addition, a report from Palo Alto Networks Unit 42 states that researchers have observed a large surge in this type of misuse, with the firm’s data indicating a 1,100% expansion from June 2021 to June 2022.

What Is Cloud Phishing?

Cloud phishing is a type of phishing in which fake cloud computing services are used to trick people into clicking on malicious links. Most of the time, these kinds of campaigns target via:

  • Video conferencing platforms
  • Social Media platforms
  • Cloud-based file-sharing platforms
  • Text messages or emails
  • Workforce messaging platforms

Hard To Detect SaaS-to-SaaS Phishing Techniques

All these frauds might occur without the attacker touching the on-premises computers or network of the victim. Since everything occurred SaaS-to-SaaS, none of the existing security mechanisms, such as sandboxes, Anti-Spam gateways, and URL screening, can inspect it. Therefore, no alarm is generated.

In a phishing attack, the first step is often a fake invoice or secure PDF document hosted on cloud services. This document can be downloaded, but it’s important to know to make it easy to use, these cloud services open the PDF so it can be viewed. This means it will load in your web browser without restrictions or warnings.

It’s hard to find because it only sometimes hits the protections that were put in place. As we saw in the news with the AWS Cloud Phishing attempts in August, it will never happen if phishing detection is built into how emails come in and go out.

All of the actions took place in the Cloud (or in more than one cloud), and everything looked legit and encrypted when the scanning and detection took place. The victim’s computer will most likely get the phishing email, and all the magic will happen in the browser.

Here are some types of SaaS-to-SaaS cloud phishing techniques that you should know:

Multi-Stage Cloud Phishing

Microsoft issued a warning earlier in 2022 about new phishing attacks using Azure ADs that target individuals who do not utilize multi-factor authentication.

This assault is flourishing now but not in the past because attackers take advantage of the Bring-Your-Own-Device (BYOD) idea by registering devices with newly obtained credentials, and cloud authentication is accessible at any time, from anywhere.

A unique attack strategy that combines standard phishing with second and even third-phase operations. Phishing attacks begin by stealing an employee’s email address.

The second stage establishes an Office 365 account in the victim’s name on a fake device. Once installed on the new machine, the victim’s user account (and Azure Ad, in this case) is used to conduct phishing attacks on the organization or customers using the real email address.

They can use internal phishing to take the second account if they want more power or a better “host” from the first victim. These multi-stage attacks look real and potentially infect the company’s OneDrive or SharePoint systems.

Crown Jewel = Developer Accounts

What motivates threat actors to attempt to breach developer accounts? What could go wrong if they were stolen? Attackers have access to almost everything depending on the developer’s position:

  • Access to CI/CD pipelines,
  • SSH keys,
  • API keys,
  • Source code,
  • Production infrastructure, etc.

Under the ‘best case’ compromise, a junior engineer’s account could be stolen. This engineer can at least ‘commit’ changes to the source code. On the other hand, let’s say the company doesn’t use software engineering best practices like reviewing code and limiting who can commit to the main branch. In this case, the attacker can change the organization’s source code to change and infect the final product.

In the worst-case scenario, the attacker will get access to a senior developer with elevated privileges. This account might manually circumvent some code checks and gain access to key resources. This situation, in which an account of this type is compromised, would be catastrophic for an organization.


Currently, attackers are attempting to distribute malware URLs via QR codes included in emails, making them impossible for most email security solutions to detect.

QRishing combines the terms ‘QR Codes’ and ‘Phishing.’ This means that the assault is in QR code format. It may direct victims to connect to an insecure Wi-Fi network, while someone can easily grab their keystrokes.

Some bad guys even put bad QR codes in restaurants and other public places. Since the pandemic makes it hard to talk to people in person, threat actors often use QR codes. We use it to look at menus, sign up for vaccines, and learn about public events.

Adding fake QR codes to a phishing text (SMishing + QRishing) or social media platform is another form of social engineering. When users scan the malicious code, they are sent to phishing sites, where they may be asked to log in, and their login information is stolen.

Various Methods To Improve Your Phishing Defense Techniques

While you cannot eliminate the danger of phishing attempts, you may learn from observed trends and occurrences to handle them more effectively. For example, the current Zscaler report includes the following recommendations:

  • Learn about the risks to make better decisions about policy and technology.
  • Use automated tools and information that can be used to stop phishing.
  • Use zero-trust architectures to limit how far successful attacks can spread.
  • Give users training at the right time to make them more aware of security and encourage them to report problems.
  • You can find holes in your programme by simulating phishing attacks.

Knowing that phishers will find a way to get to you eventually, being more cyber-resilient is a great place to start.

Final Words

The truth is that no one can completely stop phishing as long as there are people involved. So, the best long-term solution for email security is to use Zero Trust Architecture. It would be a much more detailed version of the multi-layered defense approach.

By focusing on Authentication (Verifying User/Device Trust), which makes sure that emails entering the corporate environment or landing in end users’ inboxes are from real people, brands, and domains, a Zero Trust approach to email can help organizations defend against email impersonation attacks.

In every technical organization, software developers have a special place. They are the most important part of any modern company because they have access to the products that are sold to customers and the systems and infrastructure used to make those products. If developers weren’t protected, the security organization would fail, which would be a disaster.

What do you think?

Written by Shivam Pal

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

ChatGPT: A Boon or Bane for Businesses

ChatGPT: A Boon or Bane for Businesses

Know about ChatGPT in Five Different Levels

Know about ChatGPT in Five Different Levels