There's a Ghost in Your Cloud Machine

When we think of a cyberattack, what usually comes to mind? Probably a frantic, high-stakes event. Alarms blare, screens flash with ransomware demands, and IT teams scramble to contain the damage. It’s a digital home invasion—loud, messy, and immediate. But what if the biggest threat isn't the one kicking down the door? What if it’s the one that picked the lock weeks ago, slipped in silently, and has been living in your walls ever since, learning your habits and waiting for the perfect moment to strike?

This is the reality of a new and dangerously effective attack strategy targeting the heart of modern business: your cloud accounts. These aren't your typical smash-and-grab hacks. Instead, threat actors are playing the long game. They use sophisticated psychological tricks to compromise a single cloud identity, establish a hidden, dormant presence, and then patiently wait before continuing their attack.

The Burglar vs. The Squatter: A New Threat Paradigm

Let's use an analogy to really drive this home. A traditional cyberattack is like a burglar.¹ They break a window (exploit a vulnerability), grab the valuables (data), and get out as fast as they can. The entire event is noisy and over quickly.

This new threat is more like a squatter. They don't break windows; they talk their way in the front door by pretending to be a maintenance worker.¹ Once inside, they don't start smashing things. They find an unused room in the attic, set up camp, and live there quietly for weeks or even months. They learn the layout of the house, figure out when you're not home, and find where you keep your most valuable possessions. By the time they decide to act, they know your home better than you do. This is the essence of a "low and slow" identity attack: initial access, a long period of dormancy, and then a devastating, well-planned final move.

Why Your Cloud Identity is the New Front Door

So, why the shift? Because the definition of a "corporate network" has changed. Years ago, our digital assets were inside a fortress with a moat—a physical office with a strong network perimeter. Today, our most critical data and applications live in the cloud, in platforms like Microsoft 365, Google Workspace, and AWS.² The new perimeter isn't a firewall; it's your identity. Your email address and password are the keys to the entire kingdom.³

Threat actors have realized this. Why bother trying to breach a heavily fortified endpoint when you can simply trick an employee into handing over their cloud credentials? Statistics show that a staggering 98% of cyberattacks rely on social engineering, targeting the human element rather than complex technical flaws.⁴ Once an attacker compromises a cloud identity, they don't just have access to one computer; they have a foothold in your entire digital ecosystem.

Phase 1: The Art of the Breach - Gaining That First Foothold

Every successful "low and slow" attack begins with a single, critical step: compromising a valid cloud account. But forget the poorly worded, generic phishing emails of the past. Today's attackers are master manipulators, using highly personalized and technically clever social engineering tactics to bypass even savvy users.

Going Beyond Your Everyday Phishing Email

Modern social engineering is a masterclass in psychological warfare. Attackers meticulously research their targets using public sources like LinkedIn, social media, and corporate websites—a process known as Open-Source Intelligence (OSINT).⁵ They learn your company's hierarchy, your job title, who your boss is, and what projects you're working on.

Armed with this information, they craft incredibly convincing scenarios, or "pretexts." They might impersonate a senior leader like the CEO (a technique called "whaling") with an urgent request, or they might pose as a helpful IT support agent offering to fix a non-existent problem.⁷ The goal is always the same: to exploit human psychology—our trust, our fear, or our desire to be helpful—to trick us into making a security mistake.⁴

Case Study in Deception: The Help Desk Takedown

Consider this real-world example investigated by the security firm Unit 42. An attacker, having gathered personal details about a specific employee, called the company's IT help desk. Posing as the locked-out employee, the attacker used the stolen personal information to successfully pass the identity verification checks.⁹ Convinced, the help desk agent reset the employee's multi-factor authentication (MFA) and gave the attacker access.

What happened next is crucial. The attacker logged in, moved through the cloud environment using legitimate administrative tools, and ultimately exfiltrated over 350 GB of sensitive customer data. The most terrifying part? No malware was ever used.¹⁰ The entire breach was accomplished with valid, stolen credentials. No endpoint security tool would have ever flagged it because, from a technical standpoint, everything looked like normal user activity.

Weaponizing the Cloud's Own Tools: The Device Code Phishing Gambit

Attackers are also getting more creative by turning a cloud platform's own legitimate features against it. A recent campaign targeting Microsoft 365 users showcases this perfectly. The attack, known as Device Code Phishing, abuses a feature designed to let users log into devices with limited input, like smart TVs.¹¹

Here's how it works:

1. The Setup: The attacker first engages the target in a real-time chat, perhaps over a secure app like Signal, impersonating someone from a trusted organization.¹¹

2. The Lure: They tell the target they need to join a secure meeting or document portal and will be sending an email invitation. This real-time coordination is key because the device codes they use expire in just 15 minutes.¹¹

3. The Trap: The target receives an email with a link. When clicked, this link takes them to a real Microsoft login page (https://login.microsoftonline.com/common/oauth2/deviceauth). The page asks the user to enter a short code provided in the email.

4. The Compromise: The user, seeing a legitimate Microsoft URL, enters the code and logs in with their credentials. What they don't realize is that they have just authorized the attacker's device, granting it long-term, persistent access to their M365 account.¹¹

This attack is brilliant because it bypasses traditional email security. There are no malicious attachments to scan and no fake websites to block. The attacker simply tricks the user into misusing a legitimate cloud feature.

Phase 2: The Long Con - How Attackers Go Dormant and Hide in Plain Sight

Gaining access is just the opening move. For the patient predator, the next phase is the most critical: establishing persistence and going dormant. This isn't about laziness; it's a calculated strategy to become part of the background noise, making eventual detection nearly impossible.

Playing the Long Game: The Strategic Value of "Dwell Time"

In cybersecurity, "dwell time" is the period between the initial compromise and when the attacker is finally detected.¹³ For an attacker, dwell time is gold. The longer they can remain unnoticed in your network, the more they can explore, escalate their privileges, and plan their final move. According to reports, the average dwell time for a breach can be weeks or even months, with some lasting over 200 days.¹⁴

This extended presence has a direct financial impact. Breaches with dwell times over 200 days cost an average of $4.45 million, significantly more than those caught more quickly.¹⁴ The squatter analogy holds true: the longer someone lives in your house undetected, the more damage they can do when they finally decide to act.

Living Off the Land: The "Low and Slow" Method to Avoid Detection

To maximize dwell time, attackers employ a "low and slow" methodology.¹⁶ Think of it as the difference between a spy and a soldier. A soldier launches a loud, obvious assault that immediately draws attention. A spy, however, gathers intelligence bit by bit, performing small, seemingly insignificant actions over a long period.¹⁷

In the digital world, this means avoiding any sudden spikes in activity that might trigger security alerts. Instead of downloading gigabytes of data at once, they might exfiltrate a few megabytes every day. Instead of scanning the whole network, they might probe one or two systems a week. Each individual action is too small to trip the alarms of traditional security tools, which are often designed to detect high-volume, "noisy" attacks.¹⁷ They are flying under the radar by mimicking the patterns of legitimate, everyday traffic.

Technique 1: Hiding in the Cloud's Forgotten Corners

One of the most effective ways attackers hide is by exploiting the sheer complexity and scale of modern cloud environments. Most organizations only use a fraction of the services and geographic regions offered by providers like AWS, Azure, and GCP. This creates massive blind spots.

Attackers who have compromised an account can programmatically list all available cloud regions and identify those that the company isn't actively using or monitoring.¹⁹ They then use these "ghost regions" as their private safe house. They can spin up virtual machines, set up storage buckets for stolen data, and build out their attack infrastructure, all while remaining completely invisible to security teams who are only watching the "active" regions.¹⁹ This tactic cleverly bypasses not only security monitoring but also budget alarms and data loss prevention (DLP) policies, which are rarely configured globally.

Technique 2: Creating Digital Backdoors with Dormant Accounts

Another key persistence technique is to manipulate identities directly within the cloud environment. This aligns with the "Persistence" tactic (TA0003) in the widely used MITRE ATT&CK framework.²⁰ Once inside, an attacker can:

• Create New Credentials: They can generate new access keys or secrets for the compromised user account or for other service accounts. This gives them a new key to the house, so even if the original one is changed, they can still get in.²¹

• Add New Roles/Permissions: They can escalate the privileges of the compromised account or create a new, seemingly innocuous account and grant it powerful permissions over time.²⁰

• Hijack Dormant Accounts: This is a particularly insidious tactic. Large organizations often have hundreds of "dormant" accounts belonging to former employees or old service applications that were never properly decommissioned.²² These accounts are a goldmine for attackers. According to Google, abandoned accounts are at least 10 times less likely to have MFA enabled, making them easy targets for takeover.²² By reactivating one of these forgotten accounts, an attacker can blend in perfectly.

Phase 3: The Attack Unfurls - From Silent Squatter to Active Threat

After weeks or months of silent preparation, the attacker is ready to act. They have mapped the environment, secured their access, and identified their targets. Now, they transition from a passive, dormant state to an active assault, all while leveraging the deep foothold they've established.

Mapping the Mayhem: The Attacker's Post-Dormancy Playbook

To understand the attacker's next steps, we can turn to the MITRE ATT&CK framework, which provides a standardized language for describing adversary behaviors. Once the dormant phase ends, the attacker's actions typically follow a logical progression:

• Phase: Initial Access (Tactic TA0001)

  • Technique: Phishing (T1566)

  • Description: The attack begins by using pretexting and impersonation to trick a user into an action like Device Code Authentication.⁷

• Phase: Dormancy & Persistence (Tactics TA0003 & TA0005)

  • Technique: Account Manipulation (T1098.001) & Unused/Unsupported Cloud Regions (T1535)

  • Description: The attacker establishes a long-term foothold by creating new access keys or service principals for persistent access.²⁰ They evade detection by setting up malicious infrastructure in unmonitored cloud regions.¹⁹

• Phase: Attack Unfurls (Tactics TA0007, TA0008, TA0009)

  • Technique: Discovery, Lateral Movement, and Collection (T1526, T1021.007, T1530)

  • Description: The final stage involves enumerating available cloud services like databases and storage to find high-value targets.²⁴ The attacker then uses the compromised identity to pivot to other connected cloud services (lateral movement) ²⁵ and begins accessing and gathering sensitive data from platforms like AWS S3 or OneDrive.²⁶

First, they engage in Discovery (TA0007). They use their access to enumerate all the cloud services, storage buckets, and databases available to them, looking for the crown jewels.²⁴ Next comes

Lateral Movement (TA0008), where they use the compromised identity as a pivot point to access other connected systems and applications, spreading their influence across the cloud environment.²⁸ Finally, they begin

Collection (TA0009), actively gathering the sensitive data they've identified and staging it for exfiltration, often in one of those hidden cloud storage buckets they created during their dormant phase.²⁶

The Defender's Dilemma: Why Your Old Security Playbook is Failing

These "low and slow" attacks are so successful precisely because they are designed to circumvent traditional security measures. Your old playbook is simply not equipped for this new game.

Security tools like firewalls and intrusion detection systems (IDS) are often built on static rules and signatures. They're great at spotting a known piece of malware or blocking a brute-force attack that generates thousands of failed logins in a minute.¹⁶ But what happens when the "attacker" is using valid credentials? What happens when their network traffic looks perfectly normal, just spread out over a long period?

The answer is: nothing. The alarms stay silent. The attacker is using legitimate cloud tools and authenticated credentials. Their intent is malicious, but their actions, when viewed in isolation, appear benign. This fundamental mismatch between static, rule-based security and a dynamic, patient attacker is why these threats so often go completely undetected until it's far too late.¹⁷

Turning the Tables: A Modern Defense Against the Patient Predator

So, how do you fight a ghost? You can't use the same old traps. Defending against this threat requires a fundamental shift in mindset and technology—from a reactive posture to a proactive one, and from static rules to dynamic, behavioral analysis.

Principle 1: Assume You're Breached and Hunt Proactively

The first step is to adopt an "assume breach" mentality. Don't wait for an alarm to tell you something is wrong. Instead, you need to actively hunt for threats within your environment.³¹ Threat hunting is a proactive process where your security team, guided by hypotheses, searches for the subtle signs of a compromise that automated systems might have missed.³²

Instead of waiting for an alert, a threat hunter might ask:

• "Are any of our dormant user accounts suddenly showing API activity?"

• "Has anyone created a new virtual machine in our unused AWS Ireland region?"

• "Is this user, who has never accessed our financial database before, suddenly querying it?"

This proactive searching drastically reduces attacker dwell time and is one of the most effective ways to uncover a dormant intruder before they can execute their plan.³³

Principle 2: Use AI to Spot the Unseen with UEBA

You can't hunt for what you can't see, and that's where technology like User and Entity Behavior Analytics (UEBA) comes in. UEBA is the perfect technological counter to the "low and slow" problem.³⁴

Instead of relying on fixed rules, UEBA platforms use machine learning to build a unique behavioral baseline for every single user and entity (like servers, applications, and devices) in your cloud environment.³⁶ It learns what "normal" looks like for each person. It knows that Jane from accounting usually logs in from New York between 9 am and 5 pm and typically downloads about 50 MB of data per day.

When a dormant attacker using Jane's account finally makes a move—perhaps by logging in from a new country at 3 am or by accessing a developer's code repository—the UEBA system instantly flags this as a high-risk anomaly.³⁸ It's not breaking a rule, but it's breaking the

pattern. This ability to detect subtle deviations in behavior is precisely what's needed to catch an attacker who is trying to blend in.

Principle 3: Harden Your Human and Technical Defenses

Finally, you need to strengthen your defenses at both the human and technical levels to make that initial compromise much harder to achieve.

• Human Layer: Your security awareness training needs to evolve. Employees must be taught to recognize not just obvious phishing links but also the tactics of pretexting and MFA reset requests.⁶ They should be empowered to question and verify any unusual request, even if it appears to come from the CEO, by using a different communication channel (like a phone call).

• Technical Layer: Enforce the strongest possible phishing-resistant MFA to make credential theft less impactful.²³ Aggressively implement the

  Principle of Least Privilege, ensuring users have access only to the data and systems absolutely necessary for their jobs.²³ Conduct regular audits to

  find and disable dormant and abandoned accounts.³ And critically,

  restrict and monitor all cloud regions by default, only enabling the ones you actively use.¹⁹

Preparing for the Patient Predator

The world of cyber threats has changed significantly. The adversaries we face today are no longer just opportunistic burglars seeking a quick gain. They are now patient predators, willing to wait for the perfect moment to strike. Their focus is on our most valuable asset: our digital identities. Additionally, they exploit our intricate and expansive cloud environments as their hiding places.

Defending against this threat requires us to evolve as well. We must shift our mindset from building impenetrable walls to assuming the attacker is already inside. We must augment our static, rule-based defenses with intelligent, AI-driven systems that can understand behavior and context. By embracing proactive threat hunting, leveraging the power of UEBA, and relentlessly hardening both our human and technical controls, we can turn the tables on these silent intruders and ensure our cloud environments are not a welcoming home for the patient predator.

Frequently Asked Questions (FAQs)

1. What is the main difference between this type of "low and slow" attack and a typical ransomware attack?

   The primary difference is speed and stealth. A typical ransomware attack is fast and noisy; the goal is to encrypt files and announce their presence as quickly as possible to demand a ransom. A "low and slow" identity attack prioritizes stealth and longevity. The attacker stays hidden for a long time (high dwell time) to conduct reconnaissance and plan a more strategic final attack, which could be data theft, espionage, or a much larger, more targeted ransomware deployment.

2. Why can't my traditional firewall or antivirus software detect these attacks?

   Traditional firewalls and antivirus tools are primarily designed to block known threats. They look for malicious files (signatures), block traffic from known bad IP addresses, or detect unusually high volumes of network traffic. In a "low and slow" attack, the threat actor uses legitimate credentials, legitimate cloud tools, and keeps their activity levels low to appear like normal user traffic, making them invisible to these rule-based security systems.

3. My organization uses MFA. How are attackers still getting in?

   While MFA is a critical defense, determined attackers have developed ways to bypass it, often through social engineering. As seen in the case studies, they might trick an IT help desk agent into resetting MFA for a user's account. In other cases, like the Device Code Phishing attack, they trick the user themselves into authorizing the attacker's device through a legitimate MFA-protected login process. This highlights the need for phishing-resistant MFA and continuous user education.

4. What is the single most important step I can take to reduce my risk from this threat?

   While there's no single silver bullet, implementing a robust Identity and Access Management (IAM) program based on the Principle of Least Privilege is arguably the most impactful step. This means ensuring that every user and service account has the absolute minimum level of access required to perform its function. This drastically limits an attacker's ability to move laterally and access sensitive data, even if they do manage to compromise an account.

5. How does User and Entity Behavior Analytics (UEBA) actually work to detect a dormant attacker?

   UEBA works by using machine learning to first establish a baseline of normal, everyday activity for every user and device in your network. It learns who logs in from where, what files they typically access, what applications they use, etc. A dormant attacker's activity will, by definition, deviate from this established baseline once they begin their attack phase. The UEBA system detects these anomalies—like an account accessing a new sensitive database for the first time, or logging in from a new geographic location—and flags them as high-risk, alerting security teams to the potential threat long before a traditional rule is broken.

   ---

   Some security tools you can consider for improving your business security posture:

   CrowdStrike Falcon: An AI-driven platform for securing your infrastructure at scale and keeping up with AI advancements. https://crowdstrike2001.partnerlinks.io/Cpf-coaching

   INE Security Awareness and Training is essential for your team to stay updated with the evolving threat landscape, enhancing the effectiveness of the teams supporting your organization. https://get.ine.com/cpf-coaching

   Tenable helps identify weaknesses in your infrastructure, whether on-premises, in the cloud, or in your software, providing your vulnerability management with the visibility it needs. https://shop.tenable.com/cpf-coaching

   Cyvatar.AI Managed endpoint protection solution for SMBs and digital cloud environment https://cyvataraif5706.referralrock.com/l/CHRISTOPHE77/

   Omnistruct helps you with privacy, GRC, and security programs. They can serve as your BISO to help scale your team and security program. https://omnistruct.com/partners/influencers-meet-omnistruct/

   Guidde helps you turn your tribal, undocumented processes into easy-to-follow documented videos and instructions. https://affiliate.guidde.com/cpf-coaching

   Cyberupgrade simplifies the process of enhancing your cyber and digital risk management, allowing you to grow your business without having to be a compliance expert. We take care of the complexities associated with frameworks like DORA, ISO 27001, and NIS2, enabling your team to concentrate on building, scaling, and serving your customers. https://join.cyberupgrade.net/cpf-coaching

   1Password secures your secrets, tokens, passwords, documents, and more, whether you're at home, work, or school. They offer programs suited for everyone. https://1password.partnerlinks.io/cpf-coaching