CyberLeveling Logo
When “Trusted” Infrastructure Isn’t: How Attackers Abuse Microsoft Cloud Services for Phishing

When “Trusted” Infrastructure Isn’t: How Attackers Abuse Microsoft Cloud Services for Phishing

Phishing infrastructure has changed dramatically over the last decade. Early campaigns relied on obviously suspicious domains, cheap hosting providers, and infrastructure that defenders could burn down quickly. That era is mostly over.

Today, many attackers deliberately build their phishing operations on top of trusted, widely used cloud platforms. Microsoft’s cloud ecosystem is a prime example. By abusing legitimate services such as Azure Blob Storage, attackers gain credibility, resilience, and a significant advantage over traditional detection methods.

This is not a vulnerability in Microsoft’s infrastructure itself. It is an abuse of legitimate functionality, and that distinction matters.

Why Cloud Platforms Are Attractive to Attackers

From an attacker’s perspective, cloud services solve many problems at once.

First, reputation. Domains like blob.core.windows.net are globally trusted and deeply embedded in enterprise environments. Blocking them outright would break real business workflows. This makes defenders far more cautious and gives attackers room to operate.

Second, scale and reliability. Cloud platforms offer high availability, fast global distribution, and built-in redundancy. A phishing kit hosted on cloud storage is less likely to go offline due to simple hosting issues or takedowns.

Third, detection evasion. Many security tools still rely heavily on domain reputation and historical indicators. When malicious content is hosted on infrastructure that has millions of legitimate users, reputation-based systems often fail silently.

Azure Blob Storage as a Phishing Host

A common pattern seen in modern phishing campaigns involves Azure Blob Storage endpoints that follow a structure similar to:

malicious.blob.core.windows.net

At a glance, this looks indistinguishable from a normal Azure storage account. There is nothing inherently malicious about the domain, and in isolation it does not raise red flags.

In one observed example, a blob storage URL using this pattern was submitted to VirusTotal and returned 0 detections out of 93 engines. That outcome is not surprising. Antivirus engines are understandably reluctant to label core Microsoft infrastructure as malicious without overwhelming evidence.

This is exactly what attackers are counting on.

Layered Redirection Using Trusted Services

Attackers rarely expose the blob storage URL directly in the initial phishing email. Instead, they often introduce one or more redirection layers to further reduce detection.

A common tactic is abusing well-known services such as Google Maps, document viewers, or other legitimate web platforms that allow user-controlled URLs or parameters. The victim clicks a link that appears to lead to a trusted service, which then redirects them to the malicious Azure-hosted content.

Each hop adds friction for defenders and increases the chance that automated scanners give up or misclassify the link as benign.

From the user’s perspective, nothing feels suspicious. Every domain involved is a brand they recognize and trust.

Why Static IOCs Are Often Ineffective

One of the biggest mistakes defenders make when responding to these campaigns is over-reliance on static indicators of compromise.

Blob storage account names are trivial for attackers to rotate. Redirector URLs change frequently. Even the phishing content itself is often generated dynamically. By the time an IOC is shared, the infrastructure may already be gone or replaced.

This is why responsible research and reporting should avoid publishing fully actionable URLs. Education should focus on patterns, techniques, and defensive strategies rather than feeding attackers or creating copycat activity.

Detecting Exposure with Microsoft Defender for Office

For organizations using Microsoft Defender for Office, hunting can provide valuable insight into whether these campaigns have touched your environment.

A query like the one below can help identify emails containing URLs that match known Azure blob storage patterns used in phishing, over a defined time window:

EmailUrlInfo | where TimeGenerated > ago(45d) | where UrlDomain matches regex @"secure1drvd0c.*\.blob\.core\.windows\.net"

This type of query should be treated as a starting point, not a verdict. A match does not automatically mean malicious activity. However, it allows defenders to:

  • Identify which users received the message
  • Review the surrounding email context
  • Correlate with sign-in logs, alerts, or user reports
  • Determine whether further investigation or remediation is required

Proactive hunting like this is far more effective than waiting for alerts that may never fire.

Defensive Takeaways

There are a few important lessons defenders should take from this trend:

  • Trusted does not mean safe. Attackers deliberately hide inside platforms we rely on every day.
  • Reputation alone is not enough. Behavioral signals, URL context, and user interaction matter more than static blocklists.
  • Cloud abuse will continue. As long as attackers can cheaply and easily deploy content on legitimate services, they will do so.
  • Education matters. Analysts, engineers, and users alike need to understand how modern phishing looks, not just how it used to look.

Final Thoughts

Phishing kits abusing Microsoft cloud infrastructure are not an edge case anymore. They represent a broader shift in attacker mindset: blend in, look legitimate, and exploit trust at every layer.

Defenders who adapt by focusing on patterns, proactive hunting, and contextual analysis will be far better positioned than those who rely solely on signatures and reputation feeds.

The infrastructure may be legitimate, but the intent is not. Recognizing that difference is key to staying ahead.