- Project : CloudLOL PayPal Detection
- Company : Merabytes
- Sector : Multiple
- Date : 25 February, 2026
- Duration : Real-time detection
info@merabytes.com
Real case: Phishing campaign via legitimate PayPal invoices using trusted cloud infrastructure (client name omitted for confidentiality)
🔑 Key points
| Phase | Event |
|---|---|
| Phase 0 - Initial vector | Attacker creates a legitimate PayPal invoice with a malicious PDF attachment. The invoice is hosted on real paypal.com infrastructure. |
| Phase 1 - Distribution | Email sent with a link to PayPal’s actual infrastructure. |
| Phase 2 - Malicious PDF | The attached PDF contains a simulated button with a link that starts the redirect chain toward the phishing page. |
| Phase 3 - Redirect chain | The link chains legitimate services: CloudFlare → Mailinblack → ActiveCampaign → cloned Microsoft 365 login hosted on Azure. |
| Phase 4 - SOC Detection | SOC detects anomalous pattern: traffic to paypal.com from users with no purchase history, PDFs with unusually long links, chained browser redirects from different domains. |
| Phase 5 - Containment | Malicious flow blocked before users enter credentials. Alert generated by behavioral analysis and event correlation. |
This week we identified a new phishing campaign that fits perfectly within the CloudLOL concept we discussed in the previous post about SharePoint.
If before we talked about SharePoint Online abuse, we now see the same pattern… but using the legitimate functionality of attaching documents to PayPal invoices.
🌩️ What is a CloudLOL?
Just like LOLBINs, which reuse system binaries to execute malicious actions, a CloudLOL leverages legitimate SaaS services to carry out attacks:
- Use of trusted infrastructure (PayPal, Azure, Microsoft 365) to host and distribute malicious content
- Redirect chains through legitimate email security and marketing services
- All without executing suspicious software locally or using newly registered domains
🧾 PayPal invoice abuse as a phishing vector
Attackers are using the legitimate option to upload file attachments to PayPal invoices to host PDFs with malicious content.
From a technical standpoint:
✔ The invoice is real
✔ It is hosted on PayPal’s legitimate infrastructure (paypal.com)
https://www.paypal[.]com/invoice/payerView/attachments/y1j-K8TYXFpldM7vByLII7lK.d9Q0HBxg7-6TOj2HkLM8OK8pRf7bwv9xEViCR3MbPSuEX-PMVfXAnHZ4uIWdUISBgnrACPCsGfJPtERVfg&version=1&sig=SH3nUGxRyf4wByrnRfAWzjB5WqgLkOsHGlgkFYjkMVk
Technically impeccable.
Upon access, we find a simple PDF file with a simulated button containing a link to a phishing page.
🔗 The redirect chain (CloudLOL in its purest form)
The attached PDF contains a link that initiates a complex redirect chain using exclusively legitimate protection services:
- Malvertising page hosted behind CloudFlare (anti-bot solution)
- First hop: link protected by Mailinblack (anti-phishing solution)
https://mibc-fr-03.mailinblack.com/securelink/?url=... - Inside the parameter, tracking is observed through ActiveCampaign (email marketing solution)
- Finally, it ends at a cloned Microsoft 365 login page, designed to capture corporate credentials:
https://constant365[.]z13.web.core.windows.net/#… Hosted on Microsoft Azure
The entire flow uses real SaaS providers. No suspicious infrastructure. No executable attachments. No newly registered domains.
Only abuse of legitimate cloud services.
🧠 Why is this especially dangerous?
Because it completely breaks classic filtering models:
- The initial domain is reputable
- The intermediate infrastructure is reputable
- The final hosting is on Azure
- No executable files or macros
It is phishing based on trusted infrastructure.
This is exactly what we define as CloudLOL: Living Off Legitimate Cloud Services.
🔍 Relevant technical indicators
- Use of PayPal invoices as a container for malicious PDFs
- Long redirect chains obfuscated via URL parameters
- Final hosting on Azure Blob (
web.core.windows.net) - Cloned Microsoft 365 login page
- Abuse of email security and marketing automation platforms as intermediate pivots
📊 How can something like this be detected?
The key was event correlation and behavioral analysis, not email authentication.
🔍 We observed anomalous patterns:
- Unexpected traffic to PayPal from users with no purchasing activity
- Detection of PDFs with unusually long links
- Multiple browser redirects from different domains as a suspicious indicator
The key is not whether the email “is authentic.” The key is whether that behavior is normal for that user.
⚠️ Important lesson: AI is not enough
Classic email authentication controls and even AI-assisted triage are necessary… but they are not sufficient.
Today, real detection comes from:
✨ Telemetry
✨ Behavior
✨ Context
✨ Volume
✨ Correlation
In summary: it doesn’t matter if the email “looks legitimate.” What matters is whether it behaves like something normal for that user.
🛡 Recommendations
For organizations working with electronic invoicing:
- Advanced and ongoing training by threat intelligence teams
- Analyze PDF attachments in sandbox with redirect tracking
- Monitor access to
paypal.comand*.web.core.windows.net
🧩 How our Adversary-Aware SOC detected and prevented this attack
Our Adversary-Aware SOC identified this attack through multiple layers of detection that go beyond traditional controls:
| Merabytes Defense Area | How our SOC acted | Result obtained |
|---|---|---|
| Traffic behavior analysis | Detection of access to paypal.com from users with no purchase history or related financial activity. | Early warning before users interact with the malicious PDF. |
| PDF attachment analysis | Sandbox inspection of PDFs detecting unusually long and obfuscated links. | Identification of the initial vector before the user follows the link. |
| Redirect chain tracking | Automatic analysis of multiple browser hops: CloudFlare → Mailinblack → ActiveCampaign → Azure. | Full mapping of the malicious flow and proactive blocking before the capture page. |
| Context and telemetry analysis | Data cross-referencing: historical user behavior vs. unexpected access to payment infrastructure. | Real-time detection of anomalous activity. |
| Azure destination monitoring | Alerts on access to *.web.core.windows.net domains as known hosting for phishing pages. |
Proactive blocking of the credential capture page. |
| SIEM with custom rules | Event correlation: PayPal access + PDF with long redirects + suspicious Azure destination. | Rapid SOC response with complete incident context. |
Thanks to the adversary-focused vision, our SOC not only detected the anomaly but understood the attacker’s tactic (abuse of trusted cloud service chains) and responded before corporate credentials were compromised.
📚 Lessons learned
- Legitimate services can be attack vectors. PayPal, Azure, Mailinblack, and CloudFlare are trusted platforms that attackers use strategically.
- Redirect chains hide the final destination. Multiple hops through reputable services make detection by static signatures nearly impossible.
- Behavioral analysis is critical. Unexpected traffic to payment platforms is a warning sign regardless of email authentication.
- Event correlation detects what traditional controls miss. Cross-referencing user behavior data, traffic destinations, and attachment analysis reveals sophisticated attacks.
Conclusion
Sophistication is no longer in the malware.
It is in the creative use of legitimate infrastructure.
The attack was detected because our SOC implements adaptive defense and continuous behavioral monitoring. With Merabytes, the story ended well:
- Unexpected traffic to paypal.com was detected through behavioral analysis.
- The malicious PDF was analyzed in a sandbox before the user followed the link.
- The full redirect chain was mapped and blocked.
- Users were alerted before they entered their corporate credentials.
The future of detection is not in the email header. It is in the behavioral pattern.
#cybersecurity #CloudLOL #phishing #identitysecurity #Azure #PayPal #merabytes
If you’re interested in protecting your infrastructure against sophisticated CloudLOL attacks and advanced phishing, visit merabytes.com and request access to our continuous monitoring, identity protection, and behavior analysis services.
How an Adversary-Aware SOC prevents these scenarios
Discover how our Adversary-Aware Security Operations Center proactively identifies and neutralizes threats before they impact your business.
An Adversary-Aware SOC goes beyond traditional security monitoring by understanding attacker tactics, techniques, and procedures (TTPs). We proactively hunt for threats using MITRE ATT&CK framework, behavioral analysis, and threat intelligence to detect attacks that bypass conventional security controls.
Traditional security tools focus on known signatures and indicators. Our behavioral detection analyzes anomalies in user activity, email patterns, network traffic, and system behavior to identify sophisticated attacks that use legitimate tools or bypass authentication controls. This caught the attacks in these case studies before significant damage occurred.
Our SOC operates 24/7 with real-time monitoring and automated response capabilities. Critical alerts trigger immediate investigation and containment actions within minutes. We provide continuous threat hunting, forensic analysis, and coordinated incident response to minimize impact and prevent lateral movement.
We combine global threat intelligence feeds with our own research from real incidents. Every attack we analyze contributes to our detection rules and IOC database, which is immediately shared across all protected environments. This means if we see a new attack pattern targeting one client, all clients are automatically protected within hours.
Absolutely. Our SOC integrates with your existing EDR, XDR, SIEM, firewalls, email security, and identity protection tools. We enhance their effectiveness by correlating events across all sources, applying adversary-aware detection logic, and providing expert human analysis that automated tools alone cannot achieve.