Threat actors are leaning on trusted services more than ever
Living off trusted services (LOTS) is becoming an integral part of many cyber attacks
Cyber threats are increasingly incorporating legitimate services in their attack chain, researchers warn.
In its latest threat intelligence report, email security platform Mimecast said it flagged more than 5 billion threats in the second half of 2024.
Mimecast identified the growing trend of living off trusted services (LOTS) attacks as its most significant finding over the period, as attackers increasingly incorporate legitimate IT tools in their TTPs to avoid detection.
It noted this approach is particularly useful in helping get around a recent push in the security industry to raise the levels of authentication required to access corporate accounts.
“While the technologies make their attacks more complicated, the attackers continue to find services to pass authentication and alignment checks,” the report explained.
Mimecast said a significant number of these threats take advantage of major cloud providers for a wide array of their attacks, but also leverage individual aspects of other cloud services for specific parts of the kill chain.
“Microsoft’s, Google’s, and Evernote’s cloud services commonly play hosts for threat actor’s payloads and landing pages,” the report warned.
“However, other cloud services are frequently being used for specific components of attack structure: Cloudflare's Turnstyle CAPTCHAs are regularly used to prevent threat analysis.”
But it added that as these larger providers work to root out abuse of their platforms, attackers have been observed using smaller services from providers like Airtable, Publuu, and Wave Compliance.
Geopolitical lures used to deceive staff
Mimecast also called attention to the extent to which human error still plagues businesses as the most consistent element in cyber incidents.
The report warned that humans continue to have a primary role in successful breaches, citing data from Verizon that showed 68% of successful breaches that occurred in 2023 had “a non malicious human element”.
Mimecast referenced findings from a survey by EY, which found 34% of employees reported they were worried they might be the weakness exploited in a breach, even though 86% said they were knowledgeable about the types of threats they face.
The report showed threat actors frequently use references to current geopolitical events in their phishing lures, with China-Taiwan, the South China Sea, and China’s activities related to cutting undersea cables the top three geopolitical lures seen by Mimecast researchers.
RELATED WHITEPAPER
Mimecast detailed a number of threat-specific countermeasures to address concerns businesses have with the human aspect of their defense posture.
Firstly, organizations should implement a robust framework for human risk management that aligns both security objectives and business targets. By doing so, firms can develop a “multi-tiered response system that differentiates between unintentional mistakes and malicious actions”, Mimecast advised.
Awareness training is also an essential part of any countermeasure, but the report emphasized that staff must be educated on not just the general cyber risks they face but how global events can influence threat campaigns.
“By implementing robust awareness training programs and human risk platforms to guardrail users, organizations can strengthen their human firewall against both conventional cyberattacks and those driven by geopolitical motives,” Mimecast advised.
MORE FROM ITPRO
-
ITPro Excellence Awards winners unveiledIt's time to celebrate excellence in IT. Read on for the full list of winners...
-
This new mobile compromise toolkit enables spyware, surveillance, and data theftNews The professional package allows even unsophisticated attackers to take full control of devices
-
Security experts warn Substack users to brace for phishing attacks after breachNews Substack CEO Christ Best confirmed the incident occurred in October 2025
-
Google issues warning over ShinyHunters-branded vishing campaigns
News Related groups are stealing data through voice phishing and fake credential harvesting websites
-
Hackers are using LLMs to generate malicious JavaScript in real time – and they’re going after web browsersNews Defenders advised to use runtime behavioral analysis to detect and block malicious activity at the point of execution, directly within the browser
-
Thousands of Microsoft Teams users are being targeted in a new phishing campaignNews Microsoft Teams users should be on the alert, according to researchers at Check Point
-
Microsoft warns of rising AitM phishing attacks on energy sectorNews The campaign abused SharePoint file sharing services to deliver phishing payloads and altered inbox rules to maintain persistence
-
LastPass issues alert as customers targeted in new phishing campaignNews LastPass has urged customers to be on the alert for phishing emails amidst an ongoing scam campaign that encourages users to backup vaults.
-
Hacked London council warns 100,000 households at risk of follow-up scamsNews The council is warning residents they may be at increased risk of phishing scams in the wake of the cyber attack.
-
Warning issued as surge in OAuth device code phishing leads to M365 account takeoversNews Successful attacks enable full M365 account access, opening the door to data theft, lateral movement, and persistent compromise
