Threat actors now host malicious kits on trusted cloud platforms like Microsoft Azure, Google Firebase, AWS, and Cloudflare.
This shift targets enterprise users and bypasses traditional defenses. Instead of shady new domains, attackers use legitimate infrastructure to hide in plain sight.
Security teams face significant visibility gaps as valid IPs, HTTPS certs, and TLS fingerprints no longer reliably flag threats.
ANY.RUN data shows AiTM (Adversary-in-the-Middle) kits dominate these campaigns. They act as proxies between victims and real services, stealing credentials and bypassing MFA.
Emails lure users with links or QR codes to CAPTCHA-protected pages with redirects. This evades AV scanners, leading to data theft.
AiTM Kits and Cloud Abuse Tactics
Top kits like Tycoon2FA, Sneaky2FA, and EvilProxy lead the pack. They focus on corporate accounts, filtering out free emails like Gmail or Outlook.
| Phishing Kit | Key Features | Common Hosts | Enterprise Focus |
|---|---|---|---|
| Tycoon2FA | PhaaS for MFA bypass; proxies logins | Microsoft Azure Blob (e.g., *.blob.core.windows.net), Cloudflare | High; rapid growth, seen multiple times daily in US/EU SOCs |
| Sneaky2FA | AiTM for BEC; Base64 corporate domain filter | Google Firebase, AWS CloudFront | Strong; skips personal emails |
| EvilProxy | Reverse proxy for exec takeovers | Google domains, Cloudflare | Targeted at leaders |
Cloudflare’s appeal is clear: It masks real VPS origins behind trusted ASNs, resists blocks, and adds anti-analysis like geo-fencing, User-Agent blocks, and Turnstile CAPTCHAs.
TLS termination at the edge kills JA3S fingerprints as IOCs. Domains remain the last reliable lead, but attackers swap them quickly.
ANY.RUN sandbox analyses reveal the chains. A Tycoon2FA sample on Azure Blob mimics Microsoft 365 logins. Victims enter credentials; POST requests send encrypted data to the attacker’s servers.
Proxies return “wrong password” errors, causing loops and session theft. Sneaky2FA similarly hits Firebase or CloudFront, zeroing in on enterprises even niche kits like Cephas abuse Azure storage.
Trends exploded recently Tycoon cases on Azure doubled in a week. TI Lookup queries like threatName: “tycoon” AND domainName:”*.blob.core.windows.net” or threatName: “phishing” AND destinationIpAsn: “cloudflarenet” uncover live examples.
Detection Challenges and SOC Fixes
Traditional IOCs fail here. IP blocks hit legit traffic; domain reps lag. Enterprises need behavioral analysis and continuous TI.
ANY.RUN’s interactive sandbox shines: Analysts detonate in isolated VMs, bypassing evasions to expose credential pages.
TI Lookup correlates alerts with 15K SOCs’ data, cutting triage time. Benefits include 62.7% more threats caught, 94% faster triage, and 30% fewer escalations.
Recommendations:
- Deploy interactive sandboxes for complete attack chains.
- Use TI feeds for real-time phishing sigs and trends.
- Enrich alerts with behavioral IOCs over static ones.
- Monitor cloud subdomains (e.g., blob.core.windows.net) via queries.
- Train SOCs on AiTM proxies and cloud abuse.
This mainstreams cloud phishing, hitting businesses hard.
Originally written by: Varshini
Source: Cyber Press
Published on: 4 February 2026
Link to original article: Enterprise Users Targeted via Abused Microsoft and Google Cloud Platforms
