Last week we saw a case that clearly reflects how corporate phishing has evolved. We’re no longer talking about “fake emails,” but perfectly authenticated messages that pass all technical controls… yet remain malicious.
📌 What is a CloudLOL?
Just like LOLBINs, which reuse system binaries to execute malicious actions, a CloudLOL leverages legitimate SaaS services to carry out attacks:
- Mass distribution of infected documents or PDFs that redirect to credential-harvesting sites
- Obtaining sessions or tokens with extensive permissions in Microsoft Graph (such as reading or sending emails)
- All without executing suspicious software locally
🚨 Why SPF, DKIM and DMARC are not enough
In this case, the email passed all authentication controls:
✔ SPF: PASS
✔ DKIM: PASS
✔ DMARC: PASS
👉 This means the email was technically legitimate. It had been sent from the actual infrastructure of a provider like Microsoft SharePoint. And that detail is precisely what made it so dangerous.
🧩 What was really happening?
Unauthorized access to this provider’s account allowed attackers to use their own SharePoint Online environment to distribute a malicious file.
The attack was sophisticated:
- A file was uploaded to the provider’s actual SharePoint
- A legitimate O365 link was generated
- The attacker shared it via email to the manufacturing company as if it were routine documentation
- The message authentication was perfect. There were no classic signs of impersonation
💡 The lesson: in the SaaS and cloud era, security no longer depends solely on SPF/DKIM/DMARC. Proactive detection based on behavioral patterns is the only way to anticipate sophisticated attacks.
📊 How did we detect it then?
The key was event correlation, not email authentication.
🔍 We observed an anomalous pattern:
- A quarantined email mentioning the word “Microsoft” from a domain external to Microsoft
- Sending the same SharePoint file, shared from the same account, to more than 10 different recipients
- When historically only 1 or 2 emails were sent maximum
That difference was enough to trigger the alert:
- A trusted provider (Microsoft) is mentioned in the email content and the domain doesn’t match any official Microsoft domain (SharePoint sends through @provider.com)
- The email enters quarantine
- The SOC, when reviewing the email quarantine, realizes it’s sending the same file, from the same account, to multiple accounts from our provider from completely different departments
- Completely atypical volume
This allowed us to quickly isolate the incident and prevent the internal team from interacting with the content.
🚨 Important lesson: AI is not enough
Classic email authentication controls and even AI-assisted triage are necessary… but they are not sufficient.
Today, real detection comes from:
✨ Telemetry
✨ Behavior
✨ Volume
✨ Context
✨ Correlation
In summary: it doesn’t matter if the email “looks legitimate.” What matters is whether it behaves like something normal for that user.
🛡 Recommendation for any industrial company
If you depend on providers who use O365 or SharePoint to send you documentation, consider:
- Monitor anomalous sharing volumes
- Correlation between SharePoint activity and email activity
- Alerts for atypical behaviors
- Identity protection with risk signals
- Continuous event logging in your SIEM
The future of prevention is not in the email header. It’s in behavior and context.
🛡️ How Merabytes would have protected?
| Merabytes Defense Area | How it would have acted | Expected result |
|---|---|---|
| Email behavior analysis | Detection of atypical volume: same file shared from the same account to multiple recipients in different departments. | Early warning before users interact with the content. |
| Email quarantine correlation | Automatic pattern analysis in quarantined emails: mention of “Microsoft” from unofficial domains. | Identification of sophisticated impersonation that evades SPF/DKIM/DMARC. |
| SharePoint activity monitoring | Detection of unusual mass sharing from provider accounts with irregular access patterns. | Proactive blocking of malicious links before mass distribution. |
| Context and telemetry analysis | Data cross-referencing: historical vs. current volume, IP origins, sender behavior. | Real-time detection of compromised accounts. |
| Identity protection (Cisco Duo 2FA) | Blocking of unvalidated SharePoint access, even with stolen credentials. | Prevention of initial provider account compromise. |
| SIEM with custom rules | Automatic alerts for correlated events: quarantine + provider mention + anomalous volume. | Rapid SOC response with complete incident context. |
#cybersecurity #industry #o365security #phishing #merabytes #identitysecurity #cloudlol #sharepoint
If you’re interested in protecting your infrastructure against sophisticated CloudLOL attacks and advanced phishing, visit merabytes.com and request access to our continuous monitoring, identity protection, and behavior analysis services.