Threat Actors Abuse Trusted Cloud and Ad Platforms for Multi-Stage Phishing and Scam Delivery
Threat actors are increasingly using trusted platforms—including cloud hosting and major ad networks—to deliver multi-stage phishing and scam campaigns that evade traditional URL and domain reputation controls. Recent activity includes a three-step malvertising chain delivered via Facebook paid ads that redirects victims through a decoy site (e.g., a fake Italian restaurant page) before landing on a tech support scam (TSS) kit hosted on Microsoft Azure infrastructure (including web.core.windows.net). Researchers reported rapid infrastructure churn, with 100+ domains rotated in seven days, and targeting focused on U.S. users with activity concentrated on weekdays.
Parallel enterprise-focused campaigns are hosting phishing infrastructure on Microsoft Azure Blob Storage, Google Firebase, and AWS CloudFront, using redirect chains, CAPTCHA gates, and QR codes to bypass automated analysis and email defenses. Analysis highlighted the use of Adversary-in-the-Middle (AiTM) phishing-as-a-service kits—Tycoon2FA, Sneaky2FA, and EvilProxy—to steal credentials and session tokens even when MFA is enabled. Separately, researchers documented a “clean email” approach to steal Dropbox credentials: benign-looking procurement-themed emails deliver PDF attachments that hide clickable elements (e.g., via AcroForms and FlateDecode), which then route victims to a second-stage file hosted on Vercel Blob and ultimately to a fake Dropbox login page that captures credentials and collects victim telemetry (IP address, location, and device details).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Facebook malvertising chain delivering tech support scam disclosed
Gen Threat Labs reported a three-step malvertising campaign abusing Facebook paid ads to redirect U.S. users through decoy sites to scareware-style tech support scam pages hosted on Microsoft Azure. The operators were said to have rotated more than 100 domains over seven days and to have run the campaign mainly on weekdays.
Abuse of Microsoft and Google platforms to target enterprise users reported
Threat actors were reported abusing trusted Microsoft and Google platforms as part of attacks against enterprise users. The reference indicates a distinct campaign or technique disclosure, but does not provide a more specific event date than the publication date.
Dropbox phishing campaign using clean emails and PDF lures reported
A phishing campaign targeting Dropbox users was identified using clean-looking emails and PDF attachments or links to steal account credentials. The activity was publicly reported by Hackread, but no earlier concrete event date is provided in the reference.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
New 3 Step Malvertising Chain Abusing Facebook Paid Ads to Push Tech Support #Scam Kit
cybersecuritynews.com
Open sourceThreat Actors Abuse Microsoft & Google Platforms to Attack Enterprise Users
cybersecuritynews.com
Open sourcePhishing Scam Uses Clean Emails and PDFs to Steal Dropbox Logins
hackread.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Social-Engineering Campaigns Abuse Trusted Platforms (Microsoft Teams, Vendor-Signed Email, Bing Ads/Azure)
Security researchers reported several **social-engineering campaigns** that abuse trusted platforms to increase credibility and bypass controls. One campaign targeted wedding planners and related vendors by hijacking trust in *Microsoft Teams*: attackers used compromised legitimate email threads and impersonated legal professionals (e.g., `czimmerman@craigzlaw[.]com`) to lure victims into clicking a fake Teams meeting link that ultimately redirected to `ussh[.]life/connect/teamsfinal/9/windows`, a site masquerading as a Teams download page. Victims were prompted to download Windows executables consistent with **information-stealer** behavior (credential/browser/session-token theft and C2 exfiltration), enabling follow-on account takeover and additional phishing. Separately, a report highlighted **DKIM replay**-style phishing in which criminals abuse legitimate notification/invoice workflows from **PayPal, Apple, and DocuSign** to generate cryptographically signed emails that pass DKIM/DMARC checks; attackers place scam content (often a fake support phone number and urgency) into user-controlled fields, send the message to themselves to obtain a “clean” vendor-signed email, then forward it to targets. Another campaign used **Bing search ads** to funnel users through a newly registered domain (`highswit[.]space`) to scam pages hosted on **Microsoft Azure Blob Storage** (consistent path pattern including `werrx01USAHTML/index.html` and a phone-number parameter), presenting fake Microsoft security warnings and directing victims to call numbers such as `1-866-520-2041` and `1-833-445-4045`; Netskope observed impact across dozens of US organizations.
Mar 21, 2026
Phishing Campaigns Abuse Trusted Platforms and Legitimate Workflows to Evade Detection
Multiple campaigns are abusing *legitimate* cloud and platform workflows to make phishing and fraud harder to detect. Attackers are generating real Apple and PayPal invoice/dispute emails and embedding scam phone numbers in user-controlled fields (e.g., “seller notes”), resulting in messages that carry valid **DKIM** signatures and originate from high-reputation domains; this “**DKIM replay**” style abuse bypasses many email controls because authentication validates the sender domain, not the safety of the embedded content. In parallel, threat actors are leveraging free **Google Firebase** developer accounts to host brand-mimicking phishing pages on trusted `firebaseapp.com` / `web.app` subdomains, increasing delivery and click-through rates by exploiting domain reputation and common allowlisting of Google infrastructure. A separate but related social-engineering technique targets **Telegram** users by manipulating Telegram’s official authentication workflows to obtain fully authorized sessions rather than simply stealing passwords. Victims are lured to Telegram-lookalike pages (often on ephemeral domains) that prompt QR scanning or phone-number entry; user interaction triggers a real login attempt initiated by the attacker, and once the victim approves the authorization prompt on their device, the attacker gains persistent account access and can pivot to follow-on attacks via the victim’s contacts. These incidents collectively highlight a shift toward “living off trusted services,” where adversaries avoid compromising vendors and instead weaponize legitimate features, trusted domains, and sanctioned authentication flows to reduce detection and increase victim compliance.
Mar 21, 2026
Phishing Campaigns Evade Detection by Abusing AI and Trusted Email Security Controls
Security researchers reported multiple **phishing evasion** techniques designed to defeat modern email and AI-assisted defenses rather than relying only on traditional lure quality. One campaign analyzed by KnowBe4 used **graymail-style content padding** and extreme whitespace insertion to manipulate NLP-based email security tools, placing benign promotional text, legitimate signatures, and trusted links far below the visible phishing lure so scanners would weigh the message as less malicious. A separate LevelBlue-tracked trend showed attackers abusing enterprise **URL rewriting** and *Safe Links*-style protections by sending phishing through compromised accounts, causing security gateways to generate trusted wrapped URLs that could then be reused in campaigns targeting **Microsoft 365** users. The activity reflects a broader shift toward exploiting the gap between what users see and what automated systems inspect. In the URL-rewriting abuse, operators tied to **Tycoon2FA** and **Sneaky2FA** built multi-layer redirect chains across several trusted vendor domains to obscure final destinations and steal credentials and MFA session cookies through adversary-in-the-middle infrastructure, enabling account takeover, internal phishing, data theft, and sometimes ransomware follow-on activity. Related research from LayerX showed a different but thematically aligned evasion method in which **font rendering and CSS** make webpages display malicious commands to users while AI assistants parsing the underlying HTML see only harmless text, underscoring that attackers are increasingly targeting AI and trust-based inspection layers as part of phishing and social-engineering operations.
Mar 21, 2026