“Instead of abusing local binaries like PowerShell or WMI [Windows Management Instrumentation] to evade detection, adversaries now leverage native cloud administrative tools, APIs, identity systems, and management consoles to operate using legitimate functionality,” says Arif Khan, head of threat hunting and response services at Mitiga. “Because cloud environments are inherently API-driven, attackers who obtain valid credentials or tokens can enumerate resources, extract data, escalate privileges, and maintain persistence through routine-looking administrative calls.”
Hacking cloud-based systems bypasses traditional defenses that rely heavily on domain reputation and static blocklists. Running attack infrastructure from the cloud also makes attacks easier to mount.
“Attackers are increasingly using legitimate cloud services as part of their attack infrastructure,” says Fredrik Almroth, security researcher and co-founder at Detectify. “Instead of operating their own command-and-control servers, they route traffic through trusted platforms like cloud storage, collaboration tools, or AI APIs. To defenders, it can look like routine traffic to a reputable provider.”
