A Candid Perspective on the Cloud Threat Landscape: A Recap from fwd:cloudsec EU

Background

This post is a condensed companion to our fwd:cloudsec EU talk. The same topics, distilled and shared so anyone can read and reuse. The aim is to provide an accurate Cloud Threat Landscape that enables cloud-focused defenders, something that often gets lost in the noise when reading industry publications. 

What follows covers high-level trends, cloud-specific actors, attack, and a few themes that are already shaping incidents. We are also publishing a catalog of 70+ cloud TTPs to help translate these insights into detections and response playbooks.

If you enjoy reading about cloud incidents, you might also enjoy our training or investigating your own cloud incidents with Cloud Labs.

Introduction

A threat landscape is a current picture of who is attacking, how they operate, and what they are targeting. It’s built from real incidents, observable behaviors (TTPs), and measurable trends. In the end, a good landscape enables prioritization, resourcing, and anticipation. The goal is clarity you can act on, even if it isn’t exhaustive.

The problem we have observed is that cloud-specific reporting is often fragmented or lost in noise, and many write-ups are underdeveloped (inconsistent categories, limited telemetry, sparse disclosure). The net effect is less clarity than defenders have in traditional domains.

To tackle this problem, we compiled open-source reporting across 20+ publishers tracked via RSS and direct research, and deliberately sticking to sources so that anyone can reproduce or contribute to it. Our dataset focuses on cloud-native or cloud-related incidents, keeping the lens on 'true' cloud attack activity. 

We tried to stick to ‘true’ cloud native attacks to avoid noise inflation and keep the picture anchored to attacker behavior that defenders will actually face. For example, excluded are reports on OS-centric malware rebranded as 'cloud', or CVEs with no credible evidence of exploitation in the wild, and theoretical techniques that haven’t been observed in real incidents. Lastly, both cloud and provider mentions indicate where the activity occurred, not inherent platform flaws.

The Cloud Threat Landscape

In total, there were at least 41 cases observed between January and September 2025. Below are high-level trends and observations from those cases. To keep the analysis practical, we collapsed actor, attack, and cloud categories into a small set of buckets aligned with how teams triage and detect. This lens favors clarity over completeness. We also highlight notable incidents from the period and spotlight themes that matter now and are likely to affect defenders in the near term.

High-level Trends

Actor Types

Cybercriminals or those financially motivated dominate the dataset (51%), with espionage cases a strong second (24%), unknown attribution fairly common (22%), and malicious insiders being rare (3%).

These stats are not surprising, but it sets priorities for the incidents most teams should expect and prepare for are:

1. Ransomware or Data-extortion
2. Business Email Compromise (BEC)
3. Cryptojacking

Attack Types

The cloud incidents you’re most likely to face are third-party driven and data-focused, with compromised accounts as a common thread. Prioritize visibility into vendor connections, protect data pathways, and keep basic account protections tight.

• Supply chain tops the list (34%) – Most cases start with a third party or connected app. Meaning your risk now includes your vendors and the tools plugged into your cloud.

• Data exfiltration is a common outcome (20%) – Attackers are going straight for information.

• Phishing or BEC is still a reliable driver (15%) – Compromised accounts continue to open doors across cloud services.

• Cryptojacking (12%) – Less headline-grabbing, but it quietly burns budget and signals weak access hygiene.

• Ransomware or data destruction (7%) – Less frequent so far for the cloud in 2025, but when it hits, downtime and recovery costs are high.

• Long tail “Other” (12%) – A reminder that new and niche tactics keep emerging.

Cloud Types

These cloud mentions reflect where threat actors operated, not vulnerabilities of those platforms. Prioritize the platforms where your data and users actually live, and treat SaaS integrations as a first-class risk.

• Microsoft and AWS made up the majority of mentions (27% vs 24%). This shouldn’t come as a surprise given market share for these service providers, however, invest your effort in proportion to your footprint.

• SaaS is a fifth of incidents (20%) which means “cloud” isn’t just infrastructure. Critical business apps and their account connections often sit at the center of cases.

• A long tail exists of “other” (17% ) such as niche providers, or mixed environments meaning you need vendor-neutral guardrails (identity, logging, app governance).

• Google and Containers appear smaller here (5% each) which likely reflects market share and reporting bias, not immunity. Keep baseline coverage wherever you operate.

Cloud-Relevant Actors

There were at least 25 threat actors focused on cloud native or cloud related attacks from January to September 2025. Some are well known, others are clusters of activity which are defined by limited visibility and specific attributes which will evolve over time. What is certain by these stats is that cloud is mainstream for attackers. It’s no longer niche, most serious threat actors now have cloud playbooks. Also, let’s remember that some clusters will merge or split as visibility improves; treat today’s labels as pointers, not gospel.

Key Observations & Forecasts 

Identity and Standing Access

The common thread across many cloud incidents is standing access: long-lived keys, app grants, and legitimate sign-in flows. 

• Tales from the cloud trenches: The Attacker doth persist too much, methinks: Expect a growing underground market for pre-compromised cloud keys and refresh tokens, plus more campaigns built around quiet, durable access rather than smash-and-grab breaches.

• Locked Out, Dropboxed In: When BEC threats innovate: Expect more BEC actors to ride legitimate SaaS notifications (registering accounts in the victim’s name) to keep phishing after eviction, widening blast radius to partners and customers while evading basic email controls. 

• Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication: Anticipate continued social engineering of legitimate auth flows (device code today, adjacent OAuth paths tomorrow), because they feel normal to users and can sidestep many traditional MFA defenses.

SaaS is the Data Plane

The most valuable information, along with the permissions to reach it, now live in SaaS. Risk now follows accounts, app-to-app connections, and built-in features rather than just servers or endpoints.

• Widespread Data Theft Targets Salesforce Instances via Salesloft Drift: Expect more misuse of native export/report features and API access to quietly move large data sets, with attackers leaning on legitimate connectors and automation to blend into normal business activity.

Pipeline, Platform & Supply Chain Integrity

Third-party ecosystems are high-leverage entry points: compromise one step, and risk cascades downstream. Securing supply chains matters as much as perimeter defenses.

• New GitHub Action supply chain attack: reviewdog/action-setup: Anticipate continued targeting of automation workflows and build runners, more attempts to tamper with pipelines and inherit downstream access.
  

• Multiple npm attacks: Expect a mix of package takeovers, look-alike packages, and stolen maintainer accounts.

From Signal to Strategy

When reading these cloud reports, we often look for four things that actually help defenders: IOCs, security considerations or detection logic, clear attribution, and ATT&CK mappings. Those elements turn raw signals into something teams can prioritize and act on. The full data set is available here.

• ‍The Good: Most reports gave practitioners something usable: IOCs in 76% and considerations or detection logic in 73%.‍

• The Bad: Attribution is thin with about a third lacking a named actor, and many more missing victimology. Add inconsistent reporting styles and silos across orgs and we end up with fragmented intel and multiple “versions of truth.” ‍

• The Ugly: We need to do better with TTPs, with 80% or reports lacking MITRE ATT&CK mappings. Additionally, cloud service provider (CSP) intel remains limited in public write-ups, despite providers having some of the best telemetry. That gap is also likely why so many cloud blogs are based on theoretical techniques compared to what’s actually observed in the wild. 

Looking Ahead

Keep what works. Include detections and considerations in every write-up. Raise CTI quality with a simple, consistent schema. Each post should include Attribution: actor and targeting; ATT&CK: technique or sub-technique with ID; and IOCs and detection that a team can put into production.

TTP mapping in the cloud is hard, but still necessary. If the exact technique is unclear, map to the closest behavioral TTP and note confidence. When possible, use platform-specific mappings and references from AWS’ Threat Technique Catalog or the MITRE Center for Threat-Informed Defense.

We are releasing 70+ cloud TTPs mapped to MITRE, targeting about 80% coverage of the reporting set. Use the catalog to focus detections, hardening, and playbook work where it will matter most. It is a living resource that we will keep refining with community feedback. For the TTP list and the original slides, see our GitHub.

About Invictus Incident Response

We are an incident response company and we ❤️ the cloud and specialize in supporting organizations in preparing and responding to a cyber attack. We help our clients stay undefeated!

🆘 Incident Response support reach out to cert@invictus-ir.com or go to https://www.invictus-ir.com/24-7