Threat actors are leaning on trusted services more than ever
Living off trusted services (LOTS) is becoming an integral part of many cyber attacks
Cyber threats are increasingly incorporating legitimate services in their attack chain, researchers warn.
In its latest threat intelligence report, email security platform Mimecast said it flagged more than 5 billion threats in the second half of 2024.
Mimecast identified the growing trend of living off trusted services (LOTS) attacks as its most significant finding over the period, as attackers increasingly incorporate legitimate IT tools in their TTPs to avoid detection.
It noted this approach is particularly useful in helping get around a recent push in the security industry to raise the levels of authentication required to access corporate accounts.
“While the technologies make their attacks more complicated, the attackers continue to find services to pass authentication and alignment checks,” the report explained.
Mimecast said a significant number of these threats take advantage of major cloud providers for a wide array of their attacks, but also leverage individual aspects of other cloud services for specific parts of the kill chain.
“Microsoft’s, Google’s, and Evernote’s cloud services commonly play hosts for threat actor’s payloads and landing pages,” the report warned.
“However, other cloud services are frequently being used for specific components of attack structure: Cloudflare's Turnstyle CAPTCHAs are regularly used to prevent threat analysis.”
But it added that as these larger providers work to root out abuse of their platforms, attackers have been observed using smaller services from providers like Airtable, Publuu, and Wave Compliance.
Geopolitical lures used to deceive staff
Mimecast also called attention to the extent to which human error still plagues businesses as the most consistent element in cyber incidents.
The report warned that humans continue to have a primary role in successful breaches, citing data from Verizon that showed 68% of successful breaches that occurred in 2023 had “a non malicious human element”.
Mimecast referenced findings from a survey by EY, which found 34% of employees reported they were worried they might be the weakness exploited in a breach, even though 86% said they were knowledgeable about the types of threats they face.
The report showed threat actors frequently use references to current geopolitical events in their phishing lures, with China-Taiwan, the South China Sea, and China’s activities related to cutting undersea cables the top three geopolitical lures seen by Mimecast researchers.
RELATED WHITEPAPER
Mimecast detailed a number of threat-specific countermeasures to address concerns businesses have with the human aspect of their defense posture.
Firstly, organizations should implement a robust framework for human risk management that aligns both security objectives and business targets. By doing so, firms can develop a “multi-tiered response system that differentiates between unintentional mistakes and malicious actions”, Mimecast advised.
Awareness training is also an essential part of any countermeasure, but the report emphasized that staff must be educated on not just the general cyber risks they face but how global events can influence threat campaigns.
“By implementing robust awareness training programs and human risk platforms to guardrail users, organizations can strengthen their human firewall against both conventional cyberattacks and those driven by geopolitical motives,” Mimecast advised.
MORE FROM ITPRO
-
Why leaders need to build resilience to avoid AI burnoutIn-depth Stress levels are surging among those in leadership roles due to accelerating AI adoption – resilience is key to avoiding burnout
-
How practical-based learning for AI can close the digital skills gapEquipping the next generation of AI-engineers, developers, and leaders with hands-on experience and practical teaching resources is key
-
'AI-generated phishing became the baseline' for hackers last year – Kaseya warns it's going to get worse in 2026News Forget looking for typos and bad grammar, phishing campaigns are using AI to boost their attack success
-
Interpol teams up with tech firms to seize 45,000 malicious IPs, servers in global cyber crime crackdownNews Operation Synergia III saw 94 arrests - and counting - with malicious IP addresses used in phishing and fraud schemes seized
-
Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secretsNews The groups are increasingly using face-changing or voice-changing software to make their fake identities more plausible
-
LastPass issues alert as customers face second major phishing campaign of 2026News The campaign is the third to hit LastPass users in six months
-
A single compromised account gave hackers access to 1.2 million French banking recordsNews Ficoba has warned that “numerous” scams are already in circulation following the data breach
-
Starkiller: Cyber experts issue warning over new phishing kit that proxies real login pagesNews The Starkiller package offers monthly framework updates and documentation, meaning no technical ability is needed
-
Security experts warn Substack users to brace for phishing attacks after breachNews Substack CEO Christ Best confirmed the incident occurred in October 2025
-
Google issues warning over ShinyHunters-branded vishing campaignsNews Related groups are stealing data through voice phishing and fake credential harvesting websites
