- Project CloudLOL Detection
- Company Merabytes
- Sector Manufacturing
- Date : 29 November, 2025
- Duration Real-time detection
Real case: Manufacturing sector company victim of CloudLOL attack via SharePoint (client name omitted for confidentiality)
Key points
| Time/Phase | Event |
|---|---|
| Phase 0 - Prior compromise | Supplier account compromised with access to SharePoint Online. Attacker gains control of legitimate SaaS environment. |
| Phase 1 - Preparation | Attacker uploads malicious file to the compromised supplier’s actual SharePoint. Generates a legitimate O365 link. |
| Phase 2 - Distribution | Email sent from real SharePoint infrastructure (SPF/DKIM/DMARC: PASS) to the manufacturing company disguised as routine documentation. |
| Phase 3 - SOC Detection | SOC detects anomalous pattern: same file shared from same account to 10+ recipients (vs. historical baseline of 1-2 emails). Email mentions “Microsoft” from a non-official domain. |
| Phase 4 - Quarantine and analysis | Email enters quarantine automatically. Correlation analysis confirms atypical volume and suspicious content. |
| Phase 5 - Containment | Malicious link blocked before internal users interact with the content. Supplier notified of account compromise. |
Last week we saw a case that clearly reflects how corporate phishing has evolved. We are no longer talking about “fake emails,” but perfectly authenticated messages that pass all technical controls… yet remain malicious.
What is a CloudLOL?
Just like LOLBINs, which reuse system binaries to execute malicious actions, a CloudLOL leverages legitimate SaaS services to carry out attacks:
- Mass distribution of infected documents or PDFs that redirect to credential-harvesting sites
- Obtaining sessions or tokens with extensive permissions in Microsoft Graph (such as reading or sending emails)
- All without executing suspicious software locally
Why SPF, DKIM and DMARC are not enough
In this case, the email passed all authentication controls:
SPF: PASS
DKIM: PASS
DMARC: PASS
This means the email was technically legitimate. It had been sent from the actual infrastructure of a provider like Microsoft SharePoint. And that detail is precisely what made it so dangerous.
What was really happening?
Unauthorized access to this provider’s account allowed attackers to use their own SharePoint Online environment to distribute a malicious file.
The attack was sophisticated:
- A file was uploaded to the provider’s actual SharePoint
- A legitimate O365 link was generated
- The attacker shared it via email to the manufacturing company as if it were routine documentation
- The message authentication was perfect. There were no classic signs of impersonation
The lesson: in the SaaS and cloud era, security no longer depends solely on SPF/DKIM/DMARC. Proactive detection based on behavioral patterns is the only way to anticipate sophisticated attacks.
How did we detect it then?
The key was event correlation, not email authentication.
We observed an anomalous pattern:
- A quarantined email mentioning the word “Microsoft” from a domain external to Microsoft
- Sending the same SharePoint file, shared from the same account, to more than 10 different recipients
- When historically only 1 or 2 emails were sent maximum
That difference was enough to trigger the alert:
- A trusted provider (Microsoft) is mentioned in the email content and the domain does not match any official Microsoft domain (SharePoint sends through @provider.com)
- The email enters quarantine
- The SOC, when reviewing the email quarantine, realizes it is sending the same file, from the same account, to multiple accounts from our provider from completely different departments
- Completely atypical volume
This allowed us to quickly isolate the incident and prevent the internal team from interacting with the content.
Important lesson: AI is not enough
Classic email authentication controls and even AI-assisted triage are necessary… but they are not sufficient.
Today, real detection comes from:
Telemetry
Behavior
Volume
Context
Correlation
In summary: it does not matter if the email “looks legitimate.” What matters is whether it behaves like something normal for that user.
Recommendation for any industrial company
If you depend on providers who use O365 or SharePoint to send you documentation, consider:
- Monitor anomalous sharing volumes
- Correlation between SharePoint activity and email activity
- Alerts for atypical behaviors
- Identity protection with risk signals
- Continuous event logging in your SIEM
The future of prevention is not in the email header. It is in behavior and context.
How our Adversary-Aware SOC detected and prevented this attack
Our Adversary-Aware SOC identified this attack through multiple layers of detection that go beyond traditional SPF/DKIM/DMARC controls:
| Merabytes Defense Area | How our SOC acted | Result obtained |
|---|---|---|
| Email behavior analysis | Detection of atypical volume: same file shared from the same account to multiple recipients in different departments. | Early warning before users interact with the content. |
| Email quarantine correlation | Automatic pattern analysis in quarantined emails: mention of “Microsoft” from unofficial domains. | Identification of sophisticated impersonation that evades SPF/DKIM/DMARC. |
| SharePoint activity monitoring | Detection of unusual mass sharing from provider accounts with irregular access patterns. | Proactive blocking of malicious links before mass distribution. |
| Context and telemetry analysis | Data cross-referencing: historical vs. current volume, IP origins, sender behavior. | Real-time detection of compromised accounts. |
| Identity protection (Cisco Duo 2FA) | Blocking of unvalidated SharePoint access, even with stolen credentials. | Prevention of initial provider account compromise. |
| SIEM with custom rules | Automatic alerts for correlated events: quarantine + provider mention + anomalous volume. | Rapid SOC response with complete incident context. |
Thanks to the adversary-focused vision, our SOC not only detected the anomaly, but understood the attacker’s tactic (abuse of trust in legitimate cloud services) and responded before the malicious content was executed by end users.
Lessons learned
- SPF/DKIM/DMARC are not enough against CloudLOLs. Attackers use compromised legitimate infrastructure that passes all controls.
- Behavioral analysis is critical. Atypical sending volume is a more important warning signal than email authentication.
- Compromised suppliers are an attack vector. Third-party accounts with access to SharePoint/O365 can be used to distribute malware.
- Event correlation detects what traditional controls miss. Cross-referencing quarantine data, email content, and historical patterns reveals sophisticated attacks.
Conclusion
The attack was detected because our SOC implements adaptive defense and continuous behavioral monitoring. With Merabytes, the story ended well:
- The anomalous email volume was detected through behavioral analysis.
- Event correlation (quarantine + provider mention + volume) generated an immediate alert.
- The malicious link was blocked before users interacted with it.
- The supplier was notified of the account compromise for remediation.
#cybersecurity #industry #o365security #phishing #merabytes #identitysecurity #cloudlol #sharepoint
If you are interested in protecting your infrastructure against sophisticated CloudLOL attacks and advanced phishing, visit merabytes.com and request access to our continuous monitoring, identity protection, and behavior analysis services.
Frequently asked questions
An Adversary-Aware SOC goes beyond traditional security monitoring by understanding attacker tactics, techniques, and procedures (TTPs). We proactively hunt for threats using MITRE ATT&CK framework, behavioral analysis, and threat intelligence to detect attacks that bypass conventional security controls.
Traditional security tools focus on known signatures and indicators. Our behavioral detection analyzes anomalies in user activity, email patterns, network traffic, and system behavior to identify sophisticated attacks that use legitimate tools or bypass authentication controls. This caught the attacks in these case studies before significant damage occurred.
Our SOC operates 24/7 with real-time monitoring and automated response capabilities. Critical alerts trigger immediate investigation and containment actions within minutes. We provide continuous threat hunting, forensic analysis, and coordinated incident response to minimize impact and prevent lateral movement.
We combine global threat intelligence feeds with our own research from real incidents. Every attack we analyze contributes to our detection rules and IOC database, which is immediately shared across all protected environments. This means if we see a new attack pattern targeting one client, all clients are automatically protected within hours.
Absolutely. Our SOC integrates with your existing EDR, XDR, SIEM, firewalls, email security, and identity protection tools. We enhance their effectiveness by correlating events across all sources, applying adversary-aware detection logic, and providing expert human analysis that automated tools alone cannot achieve.