Threat Actors Abuse Trusted Cloud and Ad Platforms for Multi-Stage Phishing and Scam Delivery
Threat actors are increasingly using trusted platforms—including cloud hosting and major ad networks—to deliver multi-stage phishing and scam campaigns that evade traditional URL and domain reputation controls. Recent activity includes a three-step malvertising chain delivered via Facebook paid ads that redirects victims through a decoy site (e.g., a fake Italian restaurant page) before landing on a tech support scam (TSS) kit hosted on Microsoft Azure infrastructure (including web.core.windows.net). Researchers reported rapid infrastructure churn, with 100+ domains rotated in seven days, and targeting focused on U.S. users with activity concentrated on weekdays.
Parallel enterprise-focused campaigns are hosting phishing infrastructure on Microsoft Azure Blob Storage, Google Firebase, and AWS CloudFront, using redirect chains, CAPTCHA gates, and QR codes to bypass automated analysis and email defenses. Analysis highlighted the use of Adversary-in-the-Middle (AiTM) phishing-as-a-service kits—Tycoon2FA, Sneaky2FA, and EvilProxy—to steal credentials and session tokens even when MFA is enabled. Separately, researchers documented a “clean email” approach to steal Dropbox credentials: benign-looking procurement-themed emails deliver PDF attachments that hide clickable elements (e.g., via AcroForms and FlateDecode), which then route victims to a second-stage file hosted on Vercel Blob and ultimately to a fake Dropbox login page that captures credentials and collects victim telemetry (IP address, location, and device details).
Related Entities
Affected Products
Sources
Related Stories
Multiple Social-Engineering Campaigns Abuse Trusted Platforms (Microsoft Teams, Vendor-Signed Email, Bing Ads/Azure)
Security researchers reported several **social-engineering campaigns** that abuse trusted platforms to increase credibility and bypass controls. One campaign targeted wedding planners and related vendors by hijacking trust in *Microsoft Teams*: attackers used compromised legitimate email threads and impersonated legal professionals (e.g., `czimmerman@craigzlaw[.]com`) to lure victims into clicking a fake Teams meeting link that ultimately redirected to `ussh[.]life/connect/teamsfinal/9/windows`, a site masquerading as a Teams download page. Victims were prompted to download Windows executables consistent with **information-stealer** behavior (credential/browser/session-token theft and C2 exfiltration), enabling follow-on account takeover and additional phishing. Separately, a report highlighted **DKIM replay**-style phishing in which criminals abuse legitimate notification/invoice workflows from **PayPal, Apple, and DocuSign** to generate cryptographically signed emails that pass DKIM/DMARC checks; attackers place scam content (often a fake support phone number and urgency) into user-controlled fields, send the message to themselves to obtain a “clean” vendor-signed email, then forward it to targets. Another campaign used **Bing search ads** to funnel users through a newly registered domain (`highswit[.]space`) to scam pages hosted on **Microsoft Azure Blob Storage** (consistent path pattern including `werrx01USAHTML/index.html` and a phone-number parameter), presenting fake Microsoft security warnings and directing victims to call numbers such as `1-866-520-2041` and `1-833-445-4045`; Netskope observed impact across dozens of US organizations.
1 months ago
Phishing Campaigns Abuse Trusted Platforms and Legitimate Workflows to Evade Detection
Multiple campaigns are abusing *legitimate* cloud and platform workflows to make phishing and fraud harder to detect. Attackers are generating real Apple and PayPal invoice/dispute emails and embedding scam phone numbers in user-controlled fields (e.g., “seller notes”), resulting in messages that carry valid **DKIM** signatures and originate from high-reputation domains; this “**DKIM replay**” style abuse bypasses many email controls because authentication validates the sender domain, not the safety of the embedded content. In parallel, threat actors are leveraging free **Google Firebase** developer accounts to host brand-mimicking phishing pages on trusted `firebaseapp.com` / `web.app` subdomains, increasing delivery and click-through rates by exploiting domain reputation and common allowlisting of Google infrastructure. A separate but related social-engineering technique targets **Telegram** users by manipulating Telegram’s official authentication workflows to obtain fully authorized sessions rather than simply stealing passwords. Victims are lured to Telegram-lookalike pages (often on ephemeral domains) that prompt QR scanning or phone-number entry; user interaction triggers a real login attempt initiated by the attacker, and once the victim approves the authorization prompt on their device, the attacker gains persistent account access and can pivot to follow-on attacks via the victim’s contacts. These incidents collectively highlight a shift toward “living off trusted services,” where adversaries avoid compromising vendors and instead weaponize legitimate features, trusted domains, and sanctioned authentication flows to reduce detection and increase victim compliance.
1 months ago
Phishing Campaigns Evade Detection by Abusing AI and Trusted Email Security Controls
Security researchers reported multiple **phishing evasion** techniques designed to defeat modern email and AI-assisted defenses rather than relying only on traditional lure quality. One campaign analyzed by KnowBe4 used **graymail-style content padding** and extreme whitespace insertion to manipulate NLP-based email security tools, placing benign promotional text, legitimate signatures, and trusted links far below the visible phishing lure so scanners would weigh the message as less malicious. A separate LevelBlue-tracked trend showed attackers abusing enterprise **URL rewriting** and *Safe Links*-style protections by sending phishing through compromised accounts, causing security gateways to generate trusted wrapped URLs that could then be reused in campaigns targeting **Microsoft 365** users. The activity reflects a broader shift toward exploiting the gap between what users see and what automated systems inspect. In the URL-rewriting abuse, operators tied to **Tycoon2FA** and **Sneaky2FA** built multi-layer redirect chains across several trusted vendor domains to obscure final destinations and steal credentials and MFA session cookies through adversary-in-the-middle infrastructure, enabling account takeover, internal phishing, data theft, and sometimes ransomware follow-on activity. Related research from LayerX showed a different but thematically aligned evasion method in which **font rendering and CSS** make webpages display malicious commands to users while AI assistants parsing the underlying HTML see only harmless text, underscoring that attackers are increasingly targeting AI and trust-based inspection layers as part of phishing and social-engineering operations.
Today