CYFIRMA Research: Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns

Show Notes

New Research: Trusted Infrastructure Phishing — The Attack That Lives Inside Your Security Stack

Most phishing starts outside your perimeter. This one starts inside it. Trusted Infrastructure Phishing (TIP) is a threat class in which every phase of the attack chain — delivery, hosting, execution, authentication, and persistence — operates through legitimate, enterprise-trusted cloud infrastructure rather than attacker-controlled systems.

No spoofed domains. No malicious IPs. No suspicious certificates. The attacker sends from Google's servers, hosts Microsoft's storage, authenticates through your identity provider, and persists inside your licensed SaaS environment.

The governance gap is the real story. Every organization affected by TIP had licensed the platforms being abused. They had whitelisted the IPs. They had approved the OAuth flows. The gap is not in tooling; it is the assumption that trusted infrastructure cannot be weaponized from within. TIP invalidates that assumption at every stage.

If your organization runs Microsoft 365, uses OAuth-integrated SaaS applications, or has invested in cloud productivity platforms — your trusted infrastructure is the attack surface.

Link to the Research Report: https://www.cyfirma.com/research/abuse-of-cloud-native-infrastructure-in-modern-phishing-campaigns/

#CyberThreatIntelligence #CTI #CloudSecurity #TIP #TrustedInfrastructurePhishing #IdentitySecurity #OAuth #MicrosoftSecurity #PhishingDefense #MITRE #ATTACKFramework #BlueTeam #ThreatResearch #ZeroTrust #InfoSec #CYFIRMA #CYFIRMAresearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/