Living off the Cloud

Living off the Cloud
Modern persistence in Microsoft 365 & Google Workspace

Attackers no longer need to drop custom malware to maintain leverage in an organization. In a cloud-first world, they can live entirely inside Microsoft 365, Google Workspace, and key SaaS platforms using OAuth consent, automation, and misdesigned identity to stay resident long after “the incident” is considered closed.

What “living off the cloud” actually means

“Living off the cloud” is the modern counterpart to “living off the land.” Instead of abusing built-in Windows binaries, attackers abuse built-in cloud capabilities: OAuth apps, automation, shared mailboxes, service accounts, and sprawling permissions. The result is persistence and leverage without obviously malicious binaries.

Persistence is now an API problem

Long-lived access often comes from tokens, app registrations, and automation, not implants. Your true “agent footprint” is every entity that can act as a human or a system in M365, Workspace, and SaaS.

“Malware-free” intrusions are normal

Many impactful intrusions never deploy traditional malware. Investigations that stop at “we saw no malicious binaries” are dangerously incomplete in a cloud-first environment.

Focus on who can act as whom

Instead of only scanning endpoints, you need a clear picture of which identities, apps, and automations can impersonate users, move data, or reconfigure security controls.

From Mailbox to Tenant

  • Phishing yields credentials or a session cookie for one user.
  • Attacker signs in from a plausible location/device to avoid instant suspicion.
  • They explore Outlook, Teams, SharePoint, and OneDrive to map business workflows.
  • They look for privileged users, shared mailboxes, and high-value distribution lists.

From “just email” to all of Google

  • Account takeover is often assumed to only impact Gmail.
  • In reality, Drive, Docs, Sheets, Groups, Chat, and Apps Script become rich targets.
  • Domain-wide delegation and 3rd-party apps increase the blast radius significantly.

Recon without malware

None of this requires custom tooling. Built-in search, audit trails, and directory views give attackers the reconnaissance they need, while blending into real user behavior.

OAuth apps & delegated access

  • Register a new application or abuse an existing one.
  • Request scopes that allow reading mail, files, or directory data.
  • Leverage consent workflows (user or admin) to gain durable API access.
  • Use refresh tokens to outlive password changes or basic account resets.

Automation as infrastructure

  • M365 Power Automate / Logic Apps, or Google Apps Script / AppSheet flows.
  • Rules that auto-forward mail, copy files, or push data to attacker-run endpoints.
  • Tasks triggered by “normal” events: new invoices, approvals, or ticket updates.

Service accounts & integrations

  • SaaS integrations with broad access to mailboxes, storage, or calendars.
  • “Headless” accounts created for migration or automation that never expire.
  • API keys or secrets stored in wikis, ticketing systems, or CI/CD pipelines.

Rethinking what “fully remediated” means

Post-incident cloud hygiene

  • Review OAuth apps and add-ins created or consented near the incident window.
  • Audit forwarding rules, transport rules, and automation flows for exfil patterns.
  • Inventory service accounts, shared mailboxes, and “migration” identities.
  • Ensure risky legacy protocols are disabled or tightly constrained.

Signals worth investing in

  • New app registrations and consent to high-privilege scopes.
  • Creation or modification of mailbox rules with external recipients.
  • Unusual automation behavior: spikes in flow runs or script execution.
  • Tokens or sessions active from impossible or unusual locations.

Design for fewer high-risk paths

  • Reduce the number of identities that can grant tenant-wide consent.
  • Apply strong review processes for new integrations and automations.
  • Standardize on vetted patterns for common workflows (invoicing, HR, approvals).

If you can only do a few things this quarter

Build an “agent inventory”

Create and maintain a list of all entities that can act as a user or system: human identities, service accounts, OAuth apps, automations, and privileged devices. Review who owns them, and what they can touch.

Tighten who can approve new apps and flows. For business-critical automations, document their purpose and owners, and ensure there’s a clear change and review process.

Add 3–5 high-value detections

Focus on OAuth, mailbox rule abuse, and unusual admin behavior in M365/Workspace first. Even a small set of solid signals dramatically improves your ability to spot cloud-native persistence.

Run a focused tabletop

Simulate an intrusion where no malware is found, but business email and SaaS are compromised. See how leadership and responders react when the usual “reimage the host” playbook doesn’t apply.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *