As enterprises increasing depend on cloud services, living off the land has evolved into living off the cloud.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

Attackers have evolved from 'living off the land' to 'living off the cloud,' abusing trusted SaaS platforms, cloud APIs, and identity systems to blend malicious activity into legitimate enterprise traffic. Twelve specific techniques are covered: routing C2 through Google Sheets, OpenAI APIs, and Microsoft Graph API; staging malware payloads in S3 buckets; exfiltrating data via Slack and Discord; running full cloud-native kill chains; hosting phishing pages on legitimate Microsoft infrastructure; abusing AWS Lambda for ephemeral scanning; using Cloudflare Tunnel or ngrok for firewall bypass; weaponizing EBS snapshot sharing for credential dumping; exploiting Entra ID tenant trust relationships; harvesting secrets from AWS Secrets Manager; and deploying cloud-native malware frameworks like VoidLink targeting AWS, Azure, GCP, and Kubernetes.

12 ways attackers abuse cloud services to hack your enterprise