Modern phishing has undergone a structural transformation. The campaigns investigated over recent months no longer resemble the phishing operations organizations spent years training employees to detect. There are no misspelled domains, no suspicious sender addresses, no malware attachments, and in several advanced cases, there are no conventional indicators of compromise at all. Instead, attackers have adopted a fundamentally different operational model: conducting phishing operations entirely through legitimate cloud infrastructure already trusted by enterprises.
This evolution changes the defensive equation completely. Traditional phishing relied on attacker-controlled infrastructure that defenders could blacklist, fingerprint, or sandbox. Trusted Infrastructure Phishing (TIP) removes that dependency entirely. The infrastructure is legitimate, authenticated, TLS-protected, and often explicitly allowlisted by enterprise policy. Emails originate from genuine Microsoft or Google systems, authentication flows resolve to valid OAuth portals, and phishing payloads are hosted on trusted cloud storage services. To network and email security controls, the activity appears operationally normal because it is operating within sanctioned ecosystems.
The significance of this shift cannot be overstated. In multiple campaigns analyzed, multi-factor authentication was bypassed without attackers ever obtaining the victim’s password. Several organizations experienced weeks-long dwell periods before compromise was identified because the access tokens being used by adversaries appeared indistinguishable from legitimate user sessions. The result is a threat landscape where traditional indicators such as malicious URLs, executable payloads, or suspicious IP reputation increasingly provide little defensive value.
Understanding Trusted Infrastructure Phishing (TIP)
Trusted Infrastructure Phishing represents a new operational doctrine rather than a single attack technique. In TIP campaigns, every phase of the attack lifecycle—including delivery, hosting, authentication, execution, and persistence—is conducted using legitimate enterprise cloud services instead of attacker-owned infrastructure. This creates a condition where malicious activity blends directly into sanctioned operational traffic.
Historically, phishing operations required adversaries to register spoofed domains, deploy malicious hosting infrastructure, and evade increasingly mature email filtering systems. That model became less effective as endpoint detection platforms, reputation engines, and cloud email security controls evolved. Threat actors responded by eliminating malicious infrastructure entirely and shifting toward abuse of trusted SaaS ecosystems.
The growth of Microsoft 365, Google Workspace, Azure, OAuth integrations, and enterprise workflow automation unintentionally created an expansive attack surface. Organizations invested heavily in endpoint hardening and email gateway security but comparatively little in identity governance, OAuth application monitoring, token lifecycle management, and cloud workflow oversight. Threat actors identified this imbalance and adapted rapidly.
The defining characteristic of TIP is that defenders are no longer attempting to distinguish trusted from untrusted infrastructure. Instead, they must distinguish legitimate behavior from malicious behavior occurring on trusted infrastructure. That distinction fundamentally changes the detection model.
The Five-Stage TIP Kill Chain
Stage 1: Trusted Platform Lure Delivery
Modern TIP campaigns no longer rely on suspicious phishing emails originating from attacker-owned infrastructure. Instead, threat actors leverage legitimate cloud workflow systems and automation services to dispatch phishing messages directly from provider-owned mail systems. Since these emails genuinely originate from Microsoft or Google infrastructure, they pass SPF, DKIM, and DMARC validation without issue. Email security gateways evaluating sender reputation and authentication integrity see no anomaly.
The psychological engineering involved in these campaigns is also significantly more refined than traditional phishing. Attackers frequently impersonate operational notifications such as document-sharing requests, workflow tasks, invoice approvals, compliance acknowledgments, or internal ticketing systems. Unlike older phishing attempts characterized by grammatical errors or urgent financial requests, these lures mirror authentic enterprise communication patterns and often align with the victim’s actual workflow environment.
In some observed cases, attackers abused legitimate form-generation systems to trigger automated notification emails directly from provider infrastructure. No malware or malicious scripting existed in the delivery stage. The platform itself unknowingly became the delivery mechanism.
Stage 2: Cloud-Native Payload Hosting
Once the victim interacts with the lure, they are redirected to phishing content hosted on legitimate cloud infrastructure such as Azure Blob Storage, SharePoint Online, OneDrive, or trusted content delivery services. This hosting strategy is operationally powerful because the domains involved belong to globally trusted providers and carry valid TLS certificates. Browsers display trusted padlock indicators, while enterprise proxies often allow these destinations automatically due to existing allowlists and productivity platform dependencies.
The phishing pages themselves are increasingly sophisticated. Investigators observed credential harvesting interfaces dynamically branded according to the victim’s organization or industry sector. Some campaigns employed browser fingerprinting and geolocation filtering, serving phishing content only to intended targets while redirecting security scanners or sandbox environments to benign destinations.
More advanced campaigns layered multiple trusted redirects together. A victim might first interact with a legitimate form service, which redirected to an Azure Blob Storage endpoint, which then redirected to the actual credential harvesting environment. Since every stage resolved to trusted cloud domains, automated chain-analysis systems struggled to classify the sequence as malicious.
Stage 3: In-Memory Phishing Payload Execution
The most advanced campaigns documented removed hosted phishing pages entirely and instead generated phishing interfaces dynamically inside browser memory. This technique represents a major evolution in phishing tradecraft because it eliminates many conventional forensic artifacts entirely.
In these campaigns, victims received links to apparently benign intermediaries such as preview services, shortened URLs, or QR codes embedded inside PDF attachments. The link chain ultimately loaded a minimal JavaScript loader which decoded an embedded payload and instantiated it directly inside the browser using native JavaScript Blob APIs. The browser then rendered the phishing page using a blob:https:// URL that existed only temporarily in memory.
This architecture has severe defensive implications. Since the phishing page never traverses the network as a conventional HTTP response, URL reputation systems cannot analyze it. No phishing file is written to disk. Proxy logs capture only the initial JavaScript loader request, not the dynamically generated phishing interface. The blob URL exists only within browser memory during runtime, defeating many network-centric detection strategies.
Stage 4: OAuth Token Theft and MFA Bypass
The objective of many TIP campaigns is no longer credential theft alone but theft of authenticated cloud access tokens. This distinction is critical because modern cloud environments increasingly rely on OAuth token ecosystems for persistent authenticated access.
Investigators identified two primary techniques actively used in campaigns:
Adversary-in-the-Middle (AiTM) Proxying
Attackers position a reverse proxy between the victim and the legitimate authentication provider. The victim completes a real MFA challenge against the authentic login service. The proxy captures the resulting authenticated session cookie or token and replays it to gain access. From the identity provider’s perspective, the authentication event appears legitimate because the victim genuinely authenticated.
OAuth Device Authorization Grant Abuse
Attackers abuse OAuth Device Code Flow, originally designed for devices with limited input capabilities. Threat actors generate a legitimate device authorization code and trick victims into entering it at Microsoft’s genuine authentication portal. Once the victim authenticates, the attacker receives valid OAuth tokens directly from Microsoft infrastructure. MFA does not prevent this because the user completed a legitimate authentication workflow.
These tokens frequently grant access to email, SharePoint, Teams, calendars, OneDrive, and additional SaaS resources for extended durations. Refresh token lifetimes exceeding ninety days create long-term persistence opportunities for adversaries.
Stage 5: Living Off the Cloud
Post-compromise activity in TIP campaigns also reflects a major strategic shift. Instead of pivoting toward external command-and-control infrastructure, attackers remain inside the victim’s cloud ecosystem and leverage licensed services as operational infrastructure.
Common post-access actions included:
- Creating inbox forwarding rules
- Silent deletion rules
- Keyword-triggered email routing
- Internal SharePoint-hosted phishing lures
- Supply-chain phishing from compromised identities
- Abuse of calendar APIs for covert command-and-control communications
Nation-state operations demonstrated especially advanced cloud-native persistence strategies. In one campaign, operators embedded command instructions within legitimate SaaS calendar objects, making malicious API traffic operationally indistinguishable from routine productivity application usage.
Case Studies Defining the TIP Threat Landscape
Workflow Automation Phishing at Scale
One campaign analyzed used a major cloud provider’s workflow integration platform to dispatch phishing emails directly from provider-owned infrastructure. Attackers simply registered free-tier accounts and configured automated workflows to send phishing lures. Every message passed standard email authentication checks because the infrastructure itself was legitimate.
This campaign demonstrated an uncomfortable reality for defenders: there was no actionable pre-delivery indicator. Detection was only possible after victims interacted with the content and behavioral telemetry became available.
BlobPhish and Memory-Only Credential Harvesting
BlobPhish represented one of the most technically sophisticated campaigns observed during the investigation. Its defining characteristic was the complete absence of a network-accessible phishing page. The phishing interface existed only in browser memory via Blob API execution.
Traditional controls such as URL filtering, reputation analysis, proxy inspection, and file-based scanning provided little or no coverage. Effective detection required endpoint behavioral telemetry capable of identifying blob:https:// navigation activity combined with subsequent authentication events.
OAuth Device Code Abuse Against Microsoft 365
This campaign targeted organizations across technology, manufacturing, and financial sectors by abusing Microsoft’s OAuth Device Authorization Grant mechanism. Victims unknowingly authenticated attacker-controlled applications through legitimate Microsoft login portals, granting persistent OAuth access without exposing credentials.
The campaign demonstrated that MFA alone is insufficient against cloud-native identity abuse when authentication flows themselves are exploited legitimately. Detection required deep monitoring of Entra ID sign-in telemetry and device code authentication patterns.
Detection Challenges in Cloud-Native Phishing
The central defensive problem introduced by TIP is that traditional indicators of compromise have dramatically reduced value. Domains rotate quickly, infrastructure belongs to trusted providers, and in-memory phishing may produce no external artifacts whatsoever.
Organizations must increasingly prioritize behavioral and identity-based telemetry instead of perimeter-centric controls. High-value detection surfaces include:
- OAuth consent events
- Device Code Flow authentication attempts
- Blob URL browser activity
- Inbox forwarding rule creation
- Impossible travel anomalies
- SaaS API behavioral deviations
- Token replay activity
- Abnormal cloud workload access timing
This transition requires defenders to rethink security architecture fundamentally. The perimeter is no longer the primary battleground. Identity is.
Final Thoughts
Trusted Infrastructure Phishing demonstrates that attackers no longer need to evade enterprise trust systems; they can simply operate within them. By weaponizing legitimate cloud ecosystems, adversaries have dramatically reduced the visibility available to traditional defensive tooling. The result is a generation of phishing campaigns capable of bypassing conventional security models without deploying malware, spoofed infrastructure, or detectable payloads.
The organizations most resilient against TIP will not necessarily be those with the largest security stacks, but those that successfully adapt their architecture around identity visibility, behavioral telemetry, OAuth governance, and phishing-resistant authentication. The shift is already underway, and TIP is likely only the first major phase of a broader cloud-native attack evolution.
