Cloud computing has transformed how modern organizations operate, offering unparalleled convenience, scalability, and cost-effectiveness. Applications hosted in the cloud allow teams to collaborate from anywhere, access resources on demand, and reduce reliance on local infrastructure. However, this same convenience introduces a new dimension of risk. The openness and integration of cloud services have made them an attractive target for cybercriminals who increasingly use legitimate cloud environments as vectors for delivering malicious content.
The shift toward cloud-native operations means traditional perimeter-based security approaches are no longer sufficient. As businesses rely more heavily on applications like Microsoft 365, Google Workspace, and others, attackers see these platforms as rich environments where they can hide in plain sight. Unlike malware hosted on suspicious third-party domains, content hosted on trusted cloud apps is more likely to evade detection and gain user trust. This blend of credibility and accessibility is precisely what makes cloud services so appealing to malicious actors.
Microsoft OneDrive: A Persistent Target Since 2021
Among the many cloud platforms available, Microsoft OneDrive has emerged as the most consistently exploited service. Since November 2021, it has remained at the top of the list for hosting and delivering malicious content. Despite the growing number of cloud platforms being abused by threat actors, OneDrive has held this unfortunate title due to its widespread adoption, integration into corporate environments, and the high level of trust users place in it.
OneDrive’s prominence in attack campaigns stems from both technical and psychological factors. Technically, it is tightly integrated with the broader Microsoft 365 suite, allowing attackers to craft sophisticated campaigns that can pivot across services. Psychologically, users who see a familiar Microsoft domain or interface are less likely to suspect foul play. Attackers exploit this trust, knowing that it reduces the chances of their payloads being flagged or blocked.
Even as new cloud services are exploited and the threat landscape diversifies, OneDrive continues to serve as a cornerstone for many attack strategies. It offers attackers a simple yet powerful way to distribute malware, phishing pages, and even control mechanisms without raising immediate suspicion.
The Rise of Cloud Service Fragmentation
While Microsoft OneDrive, SharePoint, and Google Drive were once responsible for the majority of cloud-based exploits, this dominance has diminished as attackers diversify their approach. In January 2022, these three platforms accounted for 85 percent of all cloud abuse incidents. By September 2022, their combined share had dropped to just 30 percent. This dramatic shift underscores the growing fragmentation of cloud service exploitation.
In the same month that the big three saw their dominance decrease, 164 different cloud services were identified as being used to distribute malicious content. This increase in variety signals a broader trend: attackers are no longer reliant on a few major platforms. Instead, they are exploring and abusing a wide range of lesser-known services that may have weaker defenses or lack visibility within enterprise environments.
This fragmentation presents new challenges for defenders. It is no longer enough to focus security efforts on a handful of well-known platforms. Organizations must now account for a long tail of cloud applications, many of which fly under the radar of traditional security tools. Each new app adopted by a business or targeted by an attacker adds another layer of complexity to the security equation.
Cloud Services as Tools of Empowerment for Attackers
The appeal of cloud services to attackers goes beyond their ubiquity. Cloud platforms simplify the execution of malicious campaigns by offering ready-made infrastructure, built-in sharing capabilities, and the ability to impersonate legitimate users. Threat actors can operate in two primary ways: by compromising an existing cloud account or by creating new, seemingly legitimate ones.
When attackers gain access to a compromised account, they can use it to deliver malware to internal or external targets while appearing to operate from a trusted source. They can also exfiltrate data, send phishing emails, and embed malicious files in shared documents. Because the activity originates from an authorized account, traditional security controls may overlook the threat.
Alternatively, attackers may spin up their accounts and use built-in tools to host malicious content. By embedding links in phishing emails or deceptive websites, they direct users to documents or login forms hosted on well-known platforms. This approach gives attackers full control over their campaign’s structure while leveraging the credibility of cloud domains to avoid detection.
This flexibility is what makes cloud services so powerful in the hands of cybercriminals. They can stage their attacks, deliver payloads, and manage communications all from within a single ecosystem. In many cases, security tools are slow to catch up because the behavior appears legitimate on the surface.
The Central Role of Microsoft 365 in the Cloud Threat Ecosystem
The Microsoft 365 suite, encompassing apps like OneDrive, SharePoint, Teams, Outlook, and more, has become an indispensable tool for organizations. Its wide adoption makes it a prime target for attackers who seek maximum reach with minimal resistance. Even as attackers explore other cloud platforms, Microsoft services remain central to most campaigns.
Beyond OneDrive and SharePoint, Microsoft platforms such as Azure, GitHub, and LinkedIn have also become frequent targets or tools in malicious activity. LinkedIn, for instance, is now one of the most impersonated brands in phishing attacks. Its professional reputation and wide user base make it an effective vehicle for social engineering and data harvesting.
GitHub, another Microsoft-owned platform, can be abused to host malicious scripts, payloads, or even fake software updates. Azure provides a cloud infrastructure that, in the wrong hands, can support command-and-control systems or distribute malware on a large scale. The integration of these services under the Microsoft banner makes it easier for attackers to move across platforms and stages of an attack without switching ecosystems.
Weaponization of Lesser-Known Applications
While attention often focuses on major applications, many lesser-known tools within the Microsoft 365 environment have also been exploited. Microsoft Sway, for example, is a presentation tool that allows users to build web-based reports or pages that combine text, media, and documents. Its flexibility and visual appeal make it an excellent medium for hosting phishing content or embedding malware.
Unlike more familiar apps, Sway may not be included in many security policies or monitoring systems, giving attackers a stealth advantage. Its content can appear highly professional and trustworthy, especially when shared in corporate environments. This allows malicious campaigns to bypass security filters and deceive even cautious users.
The exploitation of Sway is not a recent development. The “PerSwaysion” campaign, uncovered in 2020, demonstrated how attackers could use Microsoft Sway along with SharePoint and OneNote to lure victims to phishing sites. This campaign targeted high-ranking professionals across various industries, showing that even niche tools can have a wide-reaching impact when abused effectively.
Advanced Threat Techniques Leveraging the Cloud
Cloud-based threats are not limited to simple phishing scams or malware delivery. In recent years, more advanced and targeted operations have emerged. One example is the Graphite malware campaign discovered in early 2022 and linked to a state-sponsored threat group. This malware used Microsoft OneDrive for command-and-control communication, interacting through the Microsoft Graph API.
What made this campaign especially sophisticated was the method of activation. Malware installation began only when a PowerPoint file was viewed in presentation mode and the user moved their mouse. This kind of behavior-based trigger is designed to avoid detection by automated tools and ensure the target is actively engaging with the content. By leveraging trusted Microsoft APIs and services, attackers made their activity blend in with normal network traffic, making it significantly harder to detect and stop.
This case highlights how cloud services are being used not just for delivery, but for every stage of the attack lifecycle. From staging to execution, persistence to exfiltration, attackers are building entire campaigns within cloud platforms. The seamless integration and vast capabilities of Microsoft 365 make it particularly suited for such abuse.
Trust and Accessibility: The Double-Edged Sword of Cloud Platforms
The reason cloud services are so effective as attack vectors comes down to two fundamental characteristics: trust and accessibility. Users trust platforms like Microsoft 365 because they are industry standards used by millions of organizations. This trust means that links and files hosted on these platforms are less likely to be scrutinized. Attackers exploit this trust to bypass filters and deceive users.
Accessibility is the other side of the coin. Cloud services are designed to be available anytime, anywhere, by anyone with the right credentials. While this accessibility enhances productivity, it also opens the door to unauthorized access and abuse. Attackers can operate from any location, using cloud accounts that blend in with normal traffic patterns. They can rotate between different services, evade detection tools, and exploit integrations to move laterally within an organization.
This combination of trust and accessibility makes defending against cloud-based threats particularly difficult. Security teams must balance the need for openness with the need for control. This requires tools that can detect anomalies, policies that enforce best practices, and training that helps users recognize the subtle signs of malicious activity.
Understanding the Depth of Microsoft’s Cloud Ecosystem
Microsoft’s transition into a cloud-first provider has revolutionized productivity and digital collaboration across industries. Through its comprehensive ecosystem, Microsoft 365 encompasses a wide range of services, including OneDrive, SharePoint, Teams, Outlook, Power Platform, Exchange Online, Azure, and more. These tools are interconnected by design, providing a seamless experience for users but also a layered attack surface for malicious actors.
At the core of this ecosystem is the Microsoft Graph API, a gateway that connects data and services across Microsoft 365. With Graph, developers can automate workflows, access calendars, files, messages, and user profiles across applications using a single interface. While this brings enormous advantages for legitimate users, it also gives attackers a unified point of interaction for controlling or exfiltrating data once they gain access to an account or token.
The integration across applications means an attacker does not need to break into multiple services independently. A single set of credentials or a compromised access token can unlock a wide array of functionalities. Attackers can read emails, send phishing messages, access shared documents, or even create calendar events with embedded malicious links. Because all these actions can be executed through legitimate APIs, they are less likely to raise suspicion unless closely monitored.
This deep level of integration blurs the lines between individual applications. What appears as normal use in one service could be a stepping stone for malicious activity in another. The challenge lies in correlating actions across the suite to detect abnormal patterns. Traditional security solutions often operate in silos and are not equipped to make these contextual connections, allowing attackers to operate undetected for extended periods.
Credential Theft and the Abuse of OAuth in Microsoft 365
Credential theft remains one of the most common entry points for cloud exploitation. Attackers use phishing, malware, or brute force attacks to obtain usernames and passwords. However, modern authentication mechanisms in Microsoft 365, such as OAuth tokens, have added a new layer of complexity to how attackers maintain access.
OAuth is a protocol that allows applications to access user accounts without exposing their credentials. It provides temporary, revocable access through tokens that can be scoped to specific services. While OAuth is secure by design, its abuse has become a powerful method for persistence in cloud environments. Once a user authorizes a malicious application, the attacker receives a token that allows access even if the user later changes their password.
This method is particularly dangerous because users are often unaware of the permissions they grant. A seemingly harmless application could request access to email, contacts, and files. Once granted, the token operates independently of the user and may remain active until explicitly revoked by an administrator. Attackers exploit this by disguising malicious applications as productivity tools or security features, luring users into granting access through deceptive prompts or fake login pages.
Because OAuth-based access is legitimate in the eyes of Microsoft’s infrastructure, it is more difficult to detect and block. Many monitoring systems focus on login behavior or password changes, but do not track token usage or application permissions. This allows attackers to maintain long-term access and operate with elevated privileges without triggering alerts.
Advanced attackers may also use token theft or token replay attacks, where a stolen token is reused in another context to gain unauthorized access. This is particularly effective in environments where multi-factor authentication is enforced at the login level but not for token revalidation. Once a token is acquired, attackers can bypass the additional security layers that would normally prevent direct login attempts.
Exploiting Microsoft’s Collaboration Tools for Social Engineering
Microsoft Teams and SharePoint have become central to workplace collaboration, enabling users to share documents, hold meetings, and communicate in real time. Unfortunately, these same features have become tools for social engineering when misused by attackers. Once inside a Microsoft 365 environment, attackers can exploit trust and familiarity to manipulate users.
In many phishing campaigns, attackers create Teams messages that appear to originate from trusted colleagues or managers. These messages may include urgent requests, malicious file links, or calendar invitations with embedded threats. Because they come from within the organization’s environment, users are more likely to act without skepticism. This bypasses many of the warning signs typically associated with external phishing messages.
SharePoint can also be used to host malicious documents and distribute them across departments or even externally. Attackers often exploit the document sharing capabilities by uploading a harmful file and sending sharing links to targeted users. These links originate from a legitimate domain and lead to trusted environments, making them less likely to be flagged by security tools.
Another common tactic involves using shared notebooks in OneNote or Excel documents with embedded macros. These files are disguised as routine business documents such as invoices, reports, or schedules. Once opened, they may execute scripts or drop malware onto the user’s system. The integration with OneDrive ensures that any changes made by the attacker are reflected in real-time, enabling the delivery of fresh payloads without needing to resend the file.
Because collaboration tools are so widely used, most employees are accustomed to clicking links or opening documents shared within these platforms. This behavioral normalization is a key element in the success of cloud-based social engineering attacks. Security awareness training often focuses on email-based threats, but many users are less prepared to identify threats embedded within legitimate collaboration environments.
Leveraging Azure for Infrastructure and Obfuscation
Beyond Microsoft 365 applications, attackers are increasingly turning to Azure—the cloud infrastructure platform provided by Microsoft—to support their operations. Azure offers scalable hosting, storage, compute, and networking capabilities that can be used to set up and control malicious infrastructure without leaving the Microsoft ecosystem.
One common use case is the hosting of command-and-control servers within Azure’s infrastructure. By creating Azure-hosted domains and using services like Azure Blob Storage or Azure App Services, attackers can blend in with legitimate traffic. Many organizations automatically trust traffic to and from Microsoft domains, which provides a layer of obfuscation for malicious actors. This trust makes it harder for security teams to block traffic without risking disruption to legitimate services.
Another tactic involves using Azure Functions to automate malicious tasks such as sending phishing emails, querying internal data, or triggering alerts that create distractions. These functions can be scripted and deployed quickly, making them ideal for time-sensitive attacks or rapid campaign development. In some cases, attackers use Azure’s API management services to disguise the true origin of their traffic and make attribution more difficult.
Azure also plays a role in hosting fake login pages and phishing kits. Because Azure domains are trusted, links that point to Azure-based phishing pages are more likely to reach users without being blocked. These pages can be designed to look identical to corporate login portals and are often used to collect credentials and multi-factor authentication codes in real time.
Moreover, attackers may set up Azure tenants and use them to interact with victim environments. This gives them the ability to launch attacks that appear to originate from Microsoft infrastructure, complicating efforts to trace the source. In advanced campaigns, Azure is also used for exfiltration, staging stolen data in encrypted containers or disguised as legitimate cloud backups.
The Difficulty of Detecting Malicious Behavior in Trusted Environments
A central challenge in defending against cloud-based attacks is the difficulty in detecting malicious behavior when it originates from a trusted service or account. Traditional security tools rely on indicators such as unfamiliar domains, known malware signatures, or geolocation anomalies. In cloud environments, especially within Microsoft’s infrastructure, these indicators are often absent.
When an attacker sends a malicious OneDrive link or shares a file through SharePoint, the activity is logged as legitimate usage. Even advanced endpoint detection tools may not flag the action because it aligns with normal user behavior. Similarly, if an attacker gains access to a legitimate account and uses it to send phishing emails from Outlook, the messages may pass through spam filters and authentication checks without issue.
The high level of trust placed in Microsoft services means that attackers have a better chance of success. Security policies often permit Microsoft traffic by default, especially when it comes from known IP ranges or recognized domains. This creates a blind spot in the organization’s defenses, allowing attackers to operate freely once they have infiltrated the environment.
Furthermore, the volume of activity within Microsoft 365 makes anomaly detection more difficult. With thousands of files being created, edited, and shared daily, spotting a single malicious action requires advanced behavioral analytics and context-aware monitoring. Many security tools are not equipped to handle this scale or complexity, leaving organizations vulnerable to subtle but impactful threats.
Abusing Third-Party Integrations and App Permissions
Another vector that is often overlooked is the abuse of third-party applications and integrations within Microsoft 365. Users and administrators can add apps from the Microsoft AppSource or other external providers to enhance functionality. While these integrations can be beneficial, they also present new opportunities for exploitation.
Attackers may create malicious third-party applications that request excessive permissions under the guise of providing helpful features. Once installed, these apps can access data across Microsoft services, including emails, documents, calendars, and contact lists. Because the user initiates the installation, the permissions are often granted without scrutiny.
In some cases, attackers exploit known vulnerabilities in third-party plugins to escalate privileges or execute code within the Microsoft 365 environment. These vulnerabilities may not be discovered until after the damage is done. Without strong governance over app installations and permissions, organizations expose themselves to a growing list of potential threats.
To reduce the risk, organizations must enforce application whitelisting, conduct regular audits of installed apps, and educate users about the dangers of authorizing unknown services. However, even with strict policies, it can be difficult to stop determined attackers who use social engineering to bypass administrative controls.
The Implications for Long-Term Persistence and Lateral Movement
Once inside a cloud environment, attackers focus on maintaining access and expanding their reach. Microsoft’s interconnected services allow lateral movement with minimal resistance. For example, a compromised Outlook account can be used to phish other users within the same domain. Shared access to OneDrive or SharePoint can be exploited to drop malware or harvest sensitive data.
Advanced attackers use this interconnectedness to conduct reconnaissance, map out user relationships, and identify high-value targets. By exploiting service-level trust and integration, they can move laterally from low-privilege accounts to administrative users, gaining deeper control over the organization’s cloud environment.
In some campaigns, attackers establish long-term persistence by creating new accounts, assigning them administrative privileges, and hiding them within the organization’s user directory. These sleeper accounts may remain dormant for weeks or months before being activated. Because they are created internally and may follow naming conventions, they are harder to spot than external threats.
The longer an attacker remains undetected, the more damage they can cause. Beyond data theft, they may deploy ransomware, manipulate business processes, or compromise customer data. The persistence enabled by cloud integration, token abuse, and trusted services makes Microsoft environments particularly challenging to secure once an attacker gains a foothold.
Documented Campaigns Demonstrating Cloud Exploitation
The theoretical risk of cloud service exploitation becomes much clearer when examined through real-world incidents. Over the past several years, multiple campaigns have shown how attackers are leveraging trusted platforms—particularly those in the Microsoft ecosystem—to deliver malware, conduct espionage, and execute financial fraud. These incidents offer critical insight into the tactics, techniques, and procedures used by threat actors, as well as the vulnerabilities they commonly exploit.
One of the most discussed examples in recent cloud-based cyber campaigns is the persistent exploitation of Microsoft OneDrive and SharePoint to deliver malicious content. Due to their widespread use in enterprises and educational institutions, these platforms offer high success rates for attackers. File-sharing capabilities allow attackers to deliver malicious payloads through URLs that seem trustworthy and familiar. Additionally, the integration of these services with email, chat, and document management systems helps attackers operate within the natural workflows of their victims, reducing the chances of detection.
Campaigns abusing OneDrive have demonstrated how a seemingly benign link can lead to a sequence of actions resulting in infection, credential theft, or further network penetration. What makes these attacks especially challenging is the fact that the URLs often point to real, active Microsoft domains. This trust factor makes it difficult for both users and automated defenses to distinguish legitimate activity from malicious operations.
The PerSwaysion Campaign: Targeting Executives Through Microsoft Sway
One of the earliest large-scale examples of cloud app exploitation was the PerSwaysion campaign. This operation was discovered in early 2020 but had been active since mid-2019. It specifically targeted C-level executives and other high-ranking officials in small and medium-sized businesses, particularly within sectors such as finance, real estate, and law.
The hallmark of this campaign was the abuse of Microsoft Sway, a web-based app designed for creating interactive reports and presentations. Attackers used Sway to craft convincing phishing landing pages that mimicked Microsoft login portals. Victims received spear-phishing emails appearing to come from trusted business contacts, with links directing them to these fake login screens.
What made this campaign effective was its subtlety and realism. The phishing sites looked professional and used legitimate Microsoft infrastructure, which meant that URL filters and security solutions were less likely to block them. Once the victim entered their credentials, attackers immediately accessed the compromised mailbox and forwarded the original phishing email to new targets within the victim’s contact list, continuing the cycle.
This automation and social engineering chain created a self-propagating attack model that scaled quickly across multiple industries. The attackers also used the compromised inboxes to search for sensitive documents, financial data, and credentials to other systems. The targeting of executives gave them access to high-value data with the potential for significant damage, including financial fraud, insider threats, and intellectual property theft.
Graphite Malware: Using Microsoft Graph and OneDrive for Stealth
In January 2022, researchers uncovered a new cyber-espionage tool named Graphite, attributed to APT28, a threat group linked to Russia’s military intelligence service. What distinguished Graphite was its sophisticated use of Microsoft cloud services to avoid detection and ensure persistent access to compromised systems.
The malware utilized the Microsoft Graph API—a legitimate interface for accessing Microsoft 365 data—to communicate with its command-and-control infrastructure, which was hosted on OneDrive. This design allowed the attackers to blend malicious traffic with legitimate cloud service calls. Since Graph API traffic is common in Microsoft environments, it provided excellent cover for the attackers.
The infection chain in Graphite was also highly targeted. In one instance, it relied on a malicious PowerPoint file sent via phishing email. When opened in presentation mode, the file executed a script when the user simply moved their mouse, triggering the malware installation. This level of subtlety indicates a deep understanding of user behavior and security bypass techniques.
Once installed, Graphite would communicate with OneDrive to fetch encrypted payloads, receive commands, and exfiltrate stolen data. Because the data traveled through Microsoft’s cloud infrastructure, traditional network security tools were unlikely to flag it as suspicious. The use of standard encryption and API calls made it extremely difficult for defenders to distinguish Graphite’s activity from routine cloud service usage.
This campaign illustrates how attackers are using trusted infrastructure not only for delivery but for full lifecycle operations, including command and control, lateral movement, and data exfiltration. By exploiting tools like Graph API, attackers gain the ability to operate within the security blind spots of many enterprise environments.
Leveraging Azure for Command and Control
Beyond Microsoft 365, attackers have found value in Microsoft Azure, the company’s broader cloud platform. Azure offers a range of services such as blob storage, compute instances, serverless functions, and web app hosting—all of which can be misused for malicious purposes.
In several documented cases, attackers created Azure-hosted command-and-control (C2) servers that facilitated communication between infected machines and threat operators. Because Azure traffic is usually trusted within corporate networks, attackers were able to exfiltrate data or fetch new payloads without triggering alerts.
One example involved attackers using Azure Blob Storage to host second-stage malware. The blob containers were configured to appear as public content shared by a benign business application. Victims unknowingly accessed this content through embedded links in emails or documents. This storage method was favored for its ability to remain active for extended periods without detection, especially if the content was encrypted or obfuscated.
In more advanced scenarios, attackers used Azure Functions—small pieces of serverless code triggered by events—to execute malicious logic. These functions were used to proxy traffic, perform data manipulation, or redirect users to phishing pages. The ephemeral nature of serverless functions meant that the attack infrastructure could be rapidly deployed and taken down, reducing the risk of attribution or blocking.
These examples show how cloud infrastructure platforms like Azure provide the tools necessary to build resilient, flexible, and stealthy cyber campaigns. They also highlight the growing complexity of threat detection in cloud environments, where malicious actions are executed through legitimate interfaces and services.
Phishing Attacks via SharePoint and OneDrive Links
Phishing campaigns that use SharePoint and OneDrive links remain among the most prevalent forms of cloud abuse. Attackers use these services to host malicious files or links and then distribute them via email, chat, or even SMS messages. Because the links originate from Microsoft domains, they often bypass email filters and URL blocklists.
In one observed campaign, attackers uploaded a malicious PDF file to OneDrive and shared it using a standard Microsoft sharing link. The email containing the link was crafted to look like a document-sharing notification from a colleague. When the user clicked the link, they were taken to a fake Microsoft login page hosted on SharePoint. After entering their credentials, the user was redirected to a real PDF document, preserving the illusion of authenticity.
The campaign’s success hinged on Microsoft branding and the familiarity of the user experience. Everything—from the email format to the link and final document—appeared legitimate. The use of multi-stage deception helped avoid immediate detection and increased the likelihood that victims would not report the incident.
In many cases, attackers chain these phishing methods with credential stuffing attacks or use the stolen credentials to access corporate environments. Once inside, they can deploy further payloads, launch ransomware, or access sensitive files. Because the delivery mechanism is built into a trusted workflow, these attacks are particularly difficult to intercept.
Business Email Compromise Enabled by Cloud Tools
Business Email Compromise (BEC) attacks have evolved significantly with the adoption of cloud platforms. In the past, BEC largely depended on email spoofing or hijacking accounts. Today, attackers exploit cloud-native features to increase the sophistication and success rate of their scams.
A common technique involves attackers gaining access to a user’s Outlook account and then setting up mail forwarding rules, auto-replies, or inbox redirection. This allows them to silently monitor communication, intercept financial transactions, or impersonate the user. These changes are often made through the Outlook Web App or via Graph API, making them difficult to detect through traditional endpoint tools.
One high-profile case involved attackers who compromised a finance executive’s Microsoft 365 account. They monitored email conversations and identified the right moment to insert fraudulent invoices or redirect payment instructions. Because the email came from a legitimate corporate account, the finance department completed the payment without suspicion. The attackers used their access to erase traces of the conversation, further concealing their actions.
In more advanced BEC campaigns, attackers also use Microsoft Forms to create surveys or approval forms that mimic internal workflows. Employees are tricked into approving wire transfers or providing sensitive financial data, believing they are responding to official processes. These forms are hosted on Microsoft’s infrastructure, increasing their credibility and reducing the chance of being blocked.
BEC continues to be one of the most financially damaging forms of cybercrime, and its evolution within cloud environments makes it even more dangerous. Microsoft’s ecosystem, with its extensive collaboration and automation features, offers attackers numerous pathways to deceive, steal, and manipulate from within.
Multi-Platform Campaigns Targeting Cloud and On-Premise Hybrid Environments
As many organizations operate in hybrid environments, combining on-premise infrastructure with cloud services, attackers have adapted their tactics to exploit both. Campaigns now frequently begin in the cloud and pivot into internal networks—or vice versa—creating a broader threat surface.
One such campaign began with phishing emails that led to credential theft on Microsoft 365. Using the stolen credentials, attackers accessed SharePoint and OneDrive, where they uploaded additional payloads. From there, they identified devices syncing files via OneDrive and used lateral movement tools to target those endpoints. Once inside, they gained access to the on-premise network and deployed ransomware, encrypting both cloud and local files.
This dual-layer approach complicates response efforts. Cloud and on-premise environments often have different security teams, policies, and visibility tools. Attackers exploit these gaps, moving between platforms to maintain persistence and maximize damage. Their use of cloud services as initial access points and lateral movement bridges makes detection and containment significantly harder.
As attackers become more proficient in targeting hybrid infrastructures, organizations must adopt unified security strategies. This includes centralizing identity and access management, ensuring that visibility extends across both cloud and on-premise environments, and using behavioral analytics to identify cross-platform anomalies.
Strengthening User Awareness and Education
Human error remains one of the most common entry points for cyberattacks, especially those involving cloud services. Attackers rely heavily on social engineering tactics to trick users into clicking malicious links, granting excessive permissions, or providing sensitive information. Therefore, building a strong foundation of user awareness is one of the most effective ways to reduce the risk of cloud service exploitation.
Security training should go beyond general phishing awareness. It must include specific education on how cloud-based threats work and how they differ from traditional email-based or file-based threats. Employees should learn to recognize suspicious behaviors in collaboration tools such as Teams or SharePoint, including unexpected sharing requests, unusual file formats, or login pages that appear slightly different from normal.
Training should also emphasize the importance of verifying the authenticity of document-sharing notifications, especially those that include requests to log in or approve actions. Users must be made aware that legitimate-looking links, even those hosted on well-known platforms like OneDrive or Forms, can be malicious if shared by attackers using compromised accounts.
To reinforce these lessons, regular simulations and drills should be conducted. These exercises should include realistic cloud-based attack scenarios such as phishing links in Teams messages, fake document-sharing requests, or impersonated login pages. Repeated exposure to these patterns helps users build instinctive responses to suspicious activity and strengthens the organization’s first line of defense.
Securing Cloud Account Access with Strong Authentication
Once attackers gain access to a cloud account, they can leverage a range of legitimate features to further their goals. Preventing unauthorized access is critical to reducing the potential damage of cloud-based attacks. One of the most effective ways to do this is by implementing strong, multi-layered authentication mechanisms.
Multi-factor authentication (MFA) should be enabled for all users, especially administrators and employees who handle sensitive data or have elevated privileges. MFA significantly reduces the likelihood that compromised credentials alone can be used to access an account. Even if a password is stolen through phishing or keylogging, the attacker would still need a second authentication factor, such as a mobile device or security token.
However, MFA must be enforced consistently. It is not uncommon for organizations to exclude certain services, applications, or users from MFA policies due to perceived inconvenience or technical limitations. These exceptions create weak points that attackers actively seek out and exploit. Organizations should aim for universal MFA coverage and eliminate any unnecessary exemptions.
Conditional access policies can provide additional protection by requiring stronger authentication when certain risk factors are detected. These conditions might include unfamiliar locations, untrusted devices, or unusual login patterns. By dynamically adjusting the level of authentication required, organizations can better balance security with user convenience.
To further enhance access security, organizations should implement identity protection features that detect risky sign-ins and automate responses such as account locking, session termination, or user notification. Monitoring tools that analyze sign-in behavior and compare it against historical norms can also help identify unauthorized access attempts before damage occurs.
Monitoring Cloud Activity and Detecting Anomalies
Traditional security tools are not designed to monitor cloud-based activity at the depth required to detect modern threats. To secure cloud environments, organizations need visibility into user behavior, file access, sharing patterns, and application usage across the entire platform.
Security teams should implement tools that provide real-time monitoring of cloud activity, focusing on identifying anomalies that may indicate compromise. These tools should be capable of tracking who accesses what data, from where, and under what context. For example, an alert should be generated if a user suddenly downloads a large volume of files from SharePoint, shares documents externally in bulk, or logs in from a country they have never visited.
Cloud-native tools offered by service providers can assist in this effort. Platforms like Microsoft 365 provide audit logs, access reports, and threat detection features that can be configured to alert security teams to potential abuse. These logs must be actively reviewed and correlated with other data sources to form a comprehensive picture of user behavior.
Behavioral analytics plays a key role in detecting subtle deviations from normal activity. Machine learning models can learn a user’s typical working hours, file usage patterns, and communication habits. When an attacker operates within a compromised account, their activity often differs from the norm, even if it seems legitimate on the surface. Behavioral monitoring systems can flag these differences and escalate them for further investigation.
To respond effectively to detected anomalies, organizations should establish cloud-specific incident response protocols. These plans must define how to isolate affected accounts, revoke access tokens, analyze the scope of the incident, and notify relevant stakeholders. A fast response can minimize the impact of a breach and prevent further escalation.
Governing Third-Party Applications and OAuth Access
Cloud environments support a wide range of third-party applications that integrate with core services through application programming interfaces and OAuth permissions. While these integrations add functionality, they also create potential entry points for attackers. Unauthorized or malicious applications can access user data, send messages, or execute tasks with the same privileges as the user.
To mitigate this risk, organizations should implement governance controls over third-party application access. This begins with establishing a policy that restricts users from installing unapproved applications or authorizing unknown services. Application whitelisting, where only pre-vetted apps are permitted, can prevent the installation of potentially dangerous tools.
Administrators should conduct regular audits of all authorized applications and review the permissions they have been granted. Any applications that no longer serve a business need or request excessive access should be removed. Security teams must also monitor OAuth consent flows to ensure that users are not unknowingly granting sensitive permissions to malicious applications disguised as productivity tools.
Organizations should also leverage built-in security controls to restrict the scope of OAuth tokens and limit their longevity. Short-lived tokens reduce the risk of long-term access in the event of a breach. Revocation mechanisms should be available and actively used when suspicious behavior is detected.
To enhance visibility, security teams should track which users are authorizing third-party apps, what data those apps are accessing, and how frequently the apps are being used. This data helps identify patterns of abuse and provides the basis for creating adaptive access policies that respond to changing risk levels.
Implementing Cloud Access Security Brokers (CASB)
A cloud access security broker, or CASB, is a critical component for securing cloud applications. CASBs act as intermediaries between users and cloud service providers, providing visibility, control, and enforcement across all cloud activity. They enable organizations to apply consistent security policies regardless of the user’s location or device.
CASBs offer features such as real-time threat detection, data loss prevention, access control, and application discovery. These capabilities are essential for identifying shadow IT—the use of unauthorized cloud services by employees—which often introduces vulnerabilities that the organization is unaware of.
By integrating with the organization’s identity and access management systems, CASBs can enforce authentication standards, block risky access attempts, and monitor data transfers. For example, if a user attempts to upload sensitive data to an unmanaged instance of a cloud application, the CASB can block the transfer or redirect it through an approved path.
CASBs also provide encryption and tokenization features that help protect sensitive data stored in or transmitted through the cloud. These tools ensure that even if data is intercepted or accessed without authorization, it remains unreadable to the attacker.
To be effective, CASBs must be configured to monitor all sanctioned and unsanctioned applications and must be regularly updated to reflect evolving threats and business requirements. When properly implemented, a CASB significantly reduces the risk of data breaches, compliance violations, and unauthorized access in cloud environments.
Applying Adaptive Access and Zero Trust Principles
The dynamic nature of cloud computing requires a flexible approach to access control. Static access models, where users are granted permanent access based on roles or departments, are no longer sufficient. Instead, organizations should adopt adaptive access controls that consider real-time risk factors before granting access to cloud resources.
Adaptive access policies use signals such as user behavior, device health, network location, and time of day to make context-aware access decisions. For example, a user logging in from an unfamiliar device in a foreign country may be required to complete additional verification steps before accessing sensitive files. These policies ensure that access is granted only when the risk level is acceptable.
Zero-trust architecture is closely aligned with adaptive access. The core principle of zero trust is that no user or device should be trusted by default, even if they are inside the network perimeter. Every access request must be verified and authenticated. This approach is particularly effective in cloud environments, where traditional perimeters no longer apply.
Implementing zero trust involves segmenting access to applications and data, enforcing least-privilege principles, and continuously validating user and device identities. Cloud platforms often provide the tools needed to enforce zero-trust policies, but organizations must configure and maintain them appropriately.
By combining adaptive access with zero trust, organizations can limit the damage caused by compromised accounts, prevent lateral movement, and reduce the overall attack surface. This model shifts security from being location-based to being identity- and context-based, which aligns well with the realities of modern cloud usage.
Regular Security Assessments and Configuration Management
Cloud services offer a vast number of configuration options, many of which affect security posture. Misconfigured settings are a common cause of data exposure and service abuse. Regular security assessments are necessary to identify and remediate these issues before they can be exploited.
Organizations should conduct routine audits of their cloud environments, focusing on user permissions, public sharing settings, external collaboration policies, and security group memberships. Automated tools can scan for common misconfigurations and provide actionable recommendations. These tools help ensure that security baselines are consistently enforced across services and tenants.
Configuration management should also include version control and change tracking. Any modification to a security setting, such as disabling MFA or changing sharing permissions, should be logged and reviewed. This helps maintain accountability and detect unauthorized changes that could introduce vulnerabilities.
Security benchmarks and best practices provided by the cloud service provider or industry groups can serve as a reference point. Aligning configuration settings with these standards ensures that the organization is following proven approaches to cloud security.
In addition to technical assessments, policy reviews should be conducted to ensure that cloud usage aligns with regulatory and compliance requirements. This includes understanding where data is stored, who has access to it, and how it is protected in transit and at rest.
Final Thoughts
The growing exploitation of cloud services by cybercriminals marks a significant evolution in the threat landscape. As organizations increasingly rely on platforms like Microsoft 365, Google Workspace, and other cloud-based tools to enable productivity and collaboration, attackers have adapted by shifting their tactics to these same environments. The inherent trust users place in well-known cloud brands, combined with the rich functionality of these platforms, makes them attractive channels for delivering malware, launching phishing campaigns, and maintaining command-and-control infrastructure.
Microsoft’s ecosystem, especially services like OneDrive, SharePoint, Sway, and Teams, continues to be a primary target due to its widespread adoption and interconnected tools. Despite increased awareness, these platforms are routinely abused for both simple and sophisticated attacks. The emergence of campaigns like PerSwaysion and malware strains like Graphite demonstrates how deeply embedded attackers can become within legitimate systems, using native features to mask their operations and evade detection.
Defending against these threats requires a multi-layered approach that goes beyond traditional security strategies. Organizations must invest in user education to build awareness around cloud-specific threats and train employees to recognize subtle indicators of malicious behavior. Strong authentication policies, particularly universal enforcement of multi-factor authentication, play a critical role in preventing unauthorized access and account compromise.
Monitoring and analytics are equally essential. Real-time visibility into cloud usage, powered by behavioral analytics and anomaly detection, can alert security teams to unusual patterns that may indicate compromise. Tools like cloud access security brokers (CASBs) extend security policies into the cloud, providing centralized enforcement and control across both managed and unmanaged applications.
Governance over third-party integrations is also vital, as attackers increasingly exploit OAuth permissions and poorly vetted applications to gain access to sensitive data. Strict policies around app approval and usage can reduce this risk significantly.
Adopting adaptive access controls and zero trust principles ensures that access to cloud resources is granted only after continuous validation of identity, device health, and contextual risk. This approach reflects the realities of modern work environments, where users operate across a mix of networks, devices, and locations.
Finally, consistent security assessments, configuration management, and adherence to best practices help organizations maintain a strong cloud security posture. The cloud is not inherently insecure, but like any technology, it requires careful oversight and informed decision-making to remain resilient against exploitation.
As attackers become more agile and inventive, so too must defenders. The battle for cloud security is ongoing, but with proactive measures, intelligent tooling, and a culture of vigilance, organizations can stay one step ahead. The cloud offers immense potential for innovation and growth—protecting it must remain a top priority.