Hijacked by Trust: How AI.Attackers Weaponize Legitimate Cloud Services
AI-driven attackers (AI.Attackers) exploit legitimate cloud platforms such as DocuSign, Google Apps Script, Google Calendar, and Paste.ee to conduct stealthy phishing, command and control (C2), and data exfiltration campaigns. Known as Living Off Trusted Sites (LOTS), this tactic leverages trusted services to bypass traditional security measures. Crucially, these attackers operate autonomously, using advanced Model Context Protocol (MCP) and Agent2Agent (A2A) technologies to rapidly build malicious infrastructure at scale. Traditional security is not enough. It is time to shift our mindset from reactive to anticipatory.
Introduction: Trust Turned Against You
Trust powers the modern enterprise. Companies rely on trusted cloud services like Google, Microsoft, and DocuSign to drive collaboration and productivity. But what happens when trust becomes a weapon?
Enter AI.Attackers. They are fast, intelligent, self-learning adversaries powered by artificial intelligence. These are not merely human attackers with automated tools. Instead, they operate fully autonomously, using sophisticated MCP and A2A technologies to rapidly build malicious infrastructure.
AI.Attackers embed themselves within legitimate services, evading detection by hiding their malicious intent behind inherent trust. This is not a hypothetical threat. It is active and evolving today.
Using advanced frameworks like MCP and A2A, these attackers autonomously build and coordinate their infrastructure. These technologies allow AI agents to interact with tools and other agents, enabling complex operations without human intervention.
Through MCP, AI agents programmatically create accounts on legitimate platforms such as cloud services, collaboration tools, and content delivery networks. This automation lets attackers quickly establish themselves across multiple services, using these accounts to host malicious content, launch phishing campaigns, and exfiltrate data.
Consider this example. An AI agent uses MCP to register a cloud storage account, upload a malicious payload, and generate a shareable link. Meanwhile, it coordinates with another agent through A2A to distribute phishing emails containing that link. This efficient division of labor enables scalable attacks.
Living Off Trusted Sites (LOTS): Exploiting Trust
The Living Off Trusted Sites (LOTS) Project has thoroughly documented attackers’ use of legitimate domains and cloud services for malicious activities.
While the original LOTS concept emphasizes attackers exploiting legitimate websites, the reality is even broader. AI.Attackers frequently leverage trusted cloud and SaaS services, including cloud storage providers like Dropbox and Google Drive, content delivery networks (CDNs), collaboration tools such as Slack and Microsoft Teams, and various SaaS productivity suites.
By extending LOTS beyond traditional sites, attackers significantly widen their potential infrastructure. These platforms inherently bypass security measures because their traffic appears legitimate, encrypted, and routine. This makes it difficult for defenders to differentiate benign activity from malicious actions.
Here are real-world examples, mapped clearly to MITRE ATT&CK techniques.
1. DocuSign: Phishing with Built-in Credibility
Attackers leverage a DocuSign account to send authentic-looking emails leading users to malicious login portals designed to harvest credentials. Users trust DocuSign, which increases phishing effectiveness dramatically (ESET Research).
MITRE ATT&CK Technique
T1566 – Phishing
2. Paste.ee: Command and Control Hidden in Plain Sight
Platforms like Paste.ee, originally intended for harmless text sharing, now frequently host malicious scripts delivering tools like XWorm and AsyncRAT. Such platforms become stealthy command and control hubs (Hunt.io).
MITRE ATT&CK Technique
T1102 – Web Service
3. Google Apps Script: Automating Phishing Attacks
Attackers deploy deceptive scripts using Google Apps Script, embedding malicious forms within trusted Google infrastructure. Users readily disclose sensitive information to these legitimate-looking forms (Cofense Research).
MITRE ATT&CK Technique
T1203 – Exploitation for Client Execution
4. Google Calendar: Covert Channels for C2
Sophisticated attackers like APT41 embed commands within Google Calendar events, creating stealthy C2 channels disguised as routine traffic. This tactic seamlessly blends malicious operations within trusted productivity tools (Google Threat Intelligence).
MITRE ATT&CK Technique
T1071.001 – Application Layer Protocol
Why Traditional Defenses Fail Against LOTS
Traditional cybersecurity defenses such as firewalls, endpoint solutions, and email filtering rely on detecting known malicious domains or suspicious behaviors. However, when attackers leverage trusted platforms, these defenses fall short because of the following reasons.
Implicit Trust Inbound traffic from legitimate cloud services rarely raises alarms.
Encrypted Traffic SSL or TLS encryption within these platforms shields malicious payloads from inspection.
Routine Usage Patterns Malicious activities closely mimic normal traffic and user interactions.
This creates a critical blind spot. It is exactly what AI.Attackers exploit.
The Autonomous Power of AI.Attackers
Crucially, AI.Attackers distinguish themselves through full autonomy. Using MCP and A2A interactions, these attackers rapidly and automatically spin up malicious infrastructure, perform reconnaissance, and execute campaigns without human oversight. This capability allows them to scale operations dramatically, responding in real time and adapting at machine speed.
These autonomous agents do the following.
- Rapidly establish malicious infrastructure using cloud and web services.
- Coordinate independently via A2A interactions to execute precise, large-scale attacks.
- Learn and adapt in real time, making traditional static defense ineffective.
Interestingly, the infrastructure AI.Attackers deploy provides early-stage infrastructure indicators. Identifying these early signals allows security teams to proactively dismantle attacker strategies. These breadcrumbs do not shout "attack in progress." They whisper an attack is coming."
Proactive Security: Seeing Through the Attacker’s Eyes
Organizations can significantly improve their resilience by shifting from reactive security to proactive measures.
Clear Asset Mapping Know your infrastructure including domains, subdomains, and cloud services to spot anomalies.
Continuous Recon Detection Employ solutions that track attacker infrastructure setups and reconnaissance behaviors autonomously.
Rapid Response Act proactively in order to neutralize threats.
By anticipating and preempting attackers’ autonomous actions, organizations can effectively prevent breaches.
Conclusion: Converting Trust Back into Strength
Trust is no longer the default. It must be validated, verified, and monitored continuously. Platforms we rely on to collaborate, communicate, and store information are now battlegrounds for control. AI.Attackers have turned trusted services into potent weapons.
Shifting from detection to prevention and proactive intervention capabilities can turn the tables. This empowers organizations to detect and neutralize threats at their earliest stages. This approach ensures that trusted platforms remain secure and reliable.
In this new threat landscape dominated by autonomous AI.Attackers leveraging MCP and A2A technologies, the best defense is proactive prevention. It means stopping attacks before they start.
When implemented effectively, trust becomes your strongest security advantage.
