Emerging threats to cloud-based business

Emerging threats to cloud-based business
(Image credit: Pixabay)
About the author

Max Heinemeyer is the Director of Threat Hunting at Darktrace

It’s no secret that collaboration is the bedrock of business. In fact, a Stanford University study demonstrated that merely priming employees to act in a collaborative fashion — without changing their environment or workflow — makes them more engaged, more persistent, more successful, and less fatigued.

To digitally optimize this biologically ingrained capacity for teamwork, businesses the world over have adopted Software as a Service (SaaS) applications that facilitate the sharing of information between multiple users. Run via centralised, cloud-hosted data center rather than on local hardware, such applications offer financial and technical benefits to companies of all sizes, from storage savings to reliable connectivity to support speed. Yet it is their collaborative nature that has positioned SaaS software at the heart of the modern enterprise.

At the same time, the interactivity of cloud services renders them an attractive target for advanced cyber-criminals, who can often leverage a single user’s SaaS credentials to compromise dozens of other accounts. And while leading SaaS vendors conform to high security standards, the cyber defenses they employ nonetheless have a common weakness: human error on the customer end. By launching sophisticated attacks like those in the case studies below, today’s threat actors are increasingly gaining access to cloud services through the front door, necessitating a fundamentally different security approach that can detect when credentialed users behave — ever so slightly — out of character.

Darktrace’s latest Cloud Threat Report looked at cloud-based cyber-attacks its customers experienced – and how they were stopped – over the past year, revealing the emerging threats modern workplaces need to be aware of.

Phishing Attack in Office 365

Perhaps the most difficult cloud-based attacks to counter are those that rely on social engineering, since they involve deceiving employees into handing over their credentials and other lucrative information voluntarily. In these cases, artificial intelligence (AI) anomaly detection is the optimal security strategy, as thwarting a social engineering threat before it’s too late means protecting employees from their own mistakes.

While many phishing attacks are launched as indiscriminate ‘drive by’ campaigns, many recent attacks have included targeted email-borne attacks with the markings of a coordinated and sophisticated cyber-crime. In one case, a threat actor had gotten hold of the address book of a US municipality, delivering an attack to recipients alphabetically. While each email was well-crafted and customized to the recipient, the messages all contained a malicious payload hiding behind a button that was variously disguised as a link to Netflix, Amazon, and other trusted services. 

AI was able to analyse these hidden links in connection with all Office 365 email traffic and the normal ‘patterns of life’ of the intended recipients in the network. When the first email came through, the AI immediately recognized that neither the recipient nor anyone in his peer group or the rest of the city’s staff had visited that domain before. The AI then instantly raised a high-confidence alert, and suggested autonomously locking each link as it entered the network.

Disgruntled IT Manager 

Unlike external threat actors, malicious insiders are often uniquely positioned to evade traditional controls given their privileged access and intimate knowledge of the network. Whether these controls rely on binary detection logic or merely monitor the perimeter, a disaffected employee can often easily bypass static defenses in the cloud and exfiltrate or manipulate critical data without triggering suspicion. 

A retailer in the UK decided to restructure its IT department and let a number of employees go. One of the affected employees – an IT manager – downloaded contact details and credit card numbers from the customer database before leaving, secretly transferring them to a home server via one of the company’s regular data transfer services. The IT manager knew that this particular service was not only sanctioned by corporate policies but also cloud-based, and he assumed that the security team would have very limited visibility in this area. 

While this subtle activity easily evaded the cloud provider’s native controls, AI detected the threatening behavior within seconds. By continuously learning ‘normal’ for every user and device, the system was able to intelligently correlate highly suspicious connections and downloads from the IT Manager’s device, even though the cloud service was regularly used for legitimate purposes by other employees. 

The intelligent system then alerted the security team and provided detailed and precise information about the nature of the compromise, prompting them to revoke his credentials and quickly retrieve and secure the data. 

Compromised Credentials in Office 365

Advanced cyber-criminals can steal corporate account credentials in a variety of ways, from social engineering attacks to ‘smart’ malware that combs through traffic and ephemeral cloud assets in search of passwords. And with stolen data readily available to buy and sell on the Dark Web, the frequency and severity of credential theft is increasing year on year. 

In one international organisation, an Office 365 account was compromised by bypassing Azure Active Directory’s native controls. While the organisation had offices in every corner of the globe, AI identified a login from an IP address that was historically unusual for that user and her peer group and immediately alerted the security team. Darktrace then alerted to the fact that a new email processing rule, which deletes incoming emails, had been set up on the account. This indicated a clear sign of compromise and the security team was able to lock the account before the attacker could do damage. 

When the security team investigated the incident further, they learned that the user had received a phishing email just hours before AI detected the threat. While the company had also deployed Microsoft’s Advanced Threat Protection (ATP) for Office 365, static defenses such as ATP can only spot phishing attacks by correlating links in emails with known malicious addresses, and the phishing link did not appear on the list. This demonstrated the clear limitations of a traditional, more signature-based approach in this area, and the organisation soon deployed autonomous response technology for additional protection in Office 365 given its ability to spot similarly threatening phishing emails without relying on blacklists. 

From social engineering attacks to insider threats to stolen credentials, the risks inherent to SaaS are largely user-dependent. Human error and lack of expertise in organisations deploying cloud assets are the most critical vulnerabilities in the cloud security puzzle. What’s more, organisations are moving to the cloud faster than their capacity to secure them.

To make matters worse, attackers are innovating rapidly and we can expect attacks on the Cloud to get faster and more furious. Take Xbash for example, the recently discovered sophisticated malware family in the wild, which wreaks havoc on Windows and Linux systems with a combination of data destructive ransomware and malicious cryptomining. As the examples above illustrate, the threat is already outpacing human security teams. When it comes to securing the Cloud, this is an arena where we will have to give up control to AI systems, not take it back.

 

Max Heinemeyer is the Director of Threat Hunting at Darktrace.

Max Heinemeyer

Max Heinemeyer, Chief Product Officer, Darktrace.

Latest in Pro
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
ai quantization
Shadow AI: the hidden risk of operational chaos
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Bambu Lab H2D Vs X1C
I've been reviewing the hotly anticipated Bambu Lab H2D for a month, and it's the most versatile machine I've ever used
Latest in News
Zotac Gaming RTX 5090 Graphics Card
Nvidia Blackwell stock woes are compounded by price hikes as more RTX 5090 GPUs soar in pricing, and I’m sick and tired of it all at this point
An Apple Music pink/pixellated poster advertising DJ with Apple Music
DJ with Apple Music lands, allowing subscribers to build and mix DJ sets directly from its +100 million-song catalog
The Meta Quest 3 and controllers on their charging station which is itself on a wooden desk next to a lamp
Forget Android XR, I've got my eyes on Vivo's new Meta Quest 3 competitor as it could be the most important VR headset of 2025
Samsung Galaxy S25 from the front
The Now Bar on Samsung One UI 7 is about to get a lot more useful – and could soon match Live Activities on iOS
Marvel Rivals
Marvel Rivals will get two new hero skins for Moon Knight and Black Panther this week meaning I'll now need to farm even more Units
Nvidia app
Tired of manually optimizing your games? Nvidia's new G-Assist could save you time