- Project : CloudLOL Detection
- Company : Merabytes
- Sector : Manufacturing
- Date : 29 November, 2025
- Duration : Real-time detection
info@merabytes.com
Real case: Manufacturing sector company victim of CloudLOL attack via SharePoint (client name omitted for confidentiality)
Last week we saw a case that clearly reflects how corporate phishing has evolved. We’re no longer talking about “fake emails,” but perfectly authenticated messages that pass all technical controls… yet remain malicious.
What is a CloudLOL?
Just like LOLBINs, which reuse system binaries to execute malicious actions, a CloudLOL leverages legitimate SaaS services to carry out attacks:
- Mass distribution of infected documents or PDFs that redirect to credential-harvesting sites
- Obtaining sessions or tokens with extensive permissions in Microsoft Graph (such as reading or sending emails)
- All without executing suspicious software locally
Why SPF, DKIM and DMARC are not enough
In this case, the email passed all authentication controls:
✔ SPF: PASS
✔ DKIM: PASS
✔ DMARC: PASS
👉 This means the email was technically legitimate. It had been sent from the actual infrastructure of a provider like Microsoft SharePoint. And that detail is precisely what made it so dangerous.
What was really happening?
Unauthorized access to this provider’s account allowed attackers to use their own SharePoint Online environment to distribute a malicious file.
The attack was sophisticated:
- A file was uploaded to the provider’s actual SharePoint
- A legitimate O365 link was generated
- The attacker shared it via email to the manufacturing company as if it were routine documentation
- The message authentication was perfect. There were no classic signs of impersonation
💡 The lesson: in the SaaS and cloud era, security no longer depends solely on SPF/DKIM/DMARC. Proactive detection based on behavioral patterns is the only way to anticipate sophisticated attacks.
How did we detect it then?
The key was event correlation, not email authentication.
🔍 We observed an anomalous pattern:
- A quarantined email mentioning the word “Microsoft” from a domain external to Microsoft
- Sending the same SharePoint file, shared from the same account, to more than 10 different recipients
- When historically only 1 or 2 emails were sent maximum
That difference was enough to trigger the alert:
- A trusted provider (Microsoft) is mentioned in the email content and the domain doesn’t match any official Microsoft domain (SharePoint sends through @provider.com)
- The email enters quarantine
- The SOC, when reviewing the email quarantine, realizes it’s sending the same file, from the same account, to multiple accounts from our provider from completely different departments
- Completely atypical volume
This allowed us to quickly isolate the incident and prevent the internal team from interacting with the content.
Important lesson: AI is not enough
Classic email authentication controls and even AI-assisted triage are necessary… but they are not sufficient.
Today, real detection comes from:
✨ Telemetry
✨ Behavior
✨ Volume
✨ Context
✨ Correlation
In summary: it doesn’t matter if the email “looks legitimate.” What matters is whether it behaves like something normal for that user.
Recommendation for any industrial company
If you depend on providers who use O365 or SharePoint to send you documentation, consider:
- Monitor anomalous sharing volumes
- Correlation between SharePoint activity and email activity
- Alerts for atypical behaviors
- Identity protection with risk signals
- Continuous event logging in your SIEM
The future of prevention is not in the email header. It’s in behavior and context.
How Merabytes would have protected?
| Merabytes Defense Area | How it would have acted | Expected result |
|---|---|---|
| Email behavior analysis | Detection of atypical volume: same file shared from the same account to multiple recipients in different departments. | Early warning before users interact with the content. |
| Email quarantine correlation | Automatic pattern analysis in quarantined emails: mention of “Microsoft” from unofficial domains. | Identification of sophisticated impersonation that evades SPF/DKIM/DMARC. |
| SharePoint activity monitoring | Detection of unusual mass sharing from provider accounts with irregular access patterns. | Proactive blocking of malicious links before mass distribution. |
| Context and telemetry analysis | Data cross-referencing: historical vs. current volume, IP origins, sender behavior. | Real-time detection of compromised accounts. |
| Identity protection (Cisco Duo 2FA) | Blocking of unvalidated SharePoint access, even with stolen credentials. | Prevention of initial provider account compromise. |
| SIEM with custom rules | Automatic alerts for correlated events: quarantine + provider mention + anomalous volume. | Rapid SOC response with complete incident context. |
#cybersecurity #industry #o365security #phishing #merabytes #identitysecurity #cloudlol #sharepoint
If you’re interested in protecting your infrastructure against sophisticated CloudLOL attacks and advanced phishing, visit merabytes.com and request access to our continuous monitoring, identity protection, and behavior analysis services.
How an Adversary-Aware SOC prevents these scenarios
Discover how our Adversary-Aware Security Operations Center proactively identifies and neutralizes threats before they impact your business.
An Adversary-Aware SOC goes beyond traditional security monitoring by understanding attacker tactics, techniques, and procedures (TTPs). We proactively hunt for threats using MITRE ATT&CK framework, behavioral analysis, and threat intelligence to detect attacks that bypass conventional security controls.
Traditional security tools focus on known signatures and indicators. Our behavioral detection analyzes anomalies in user activity, email patterns, network traffic, and system behavior to identify sophisticated attacks that use legitimate tools or bypass authentication controls. This caught the attacks in these case studies before significant damage occurred.
Our SOC operates 24/7 with real-time monitoring and automated response capabilities. Critical alerts trigger immediate investigation and containment actions within minutes. We provide continuous threat hunting, forensic analysis, and coordinated incident response to minimize impact and prevent lateral movement.
We combine global threat intelligence feeds with our own research from real incidents. Every attack we analyze contributes to our detection rules and IOC database, which is immediately shared across all protected environments. This means if we see a new attack pattern targeting one client, all clients are automatically protected within hours.
Absolutely. Our SOC integrates with your existing EDR, XDR, SIEM, firewalls, email security, and identity protection tools. We enhance their effectiveness by correlating events across all sources, applying adversary-aware detection logic, and providing expert human analysis that automated tools alone cannot achieve.