{ "id": "94bf3d4f-cb1c-4e27-9dde-3fb241730457", "created_at": "2026-04-06T00:13:06.436614Z", "updated_at": "2026-04-10T03:30:47.811005Z", "deleted_at": null, "sha1_hash": "64b0e71f3c911bbf012de78ed53b112332a5e388", "title": "A Big Catch: Cloud Phishing from Google App Engine and Azure App Service", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 78922, "plain_text": "A Big Catch: Cloud Phishing from Google App Engine and Azure\r\nApp Service\r\nBy Ashwin Vamshi\r\nPublished: 2020-08-12 · Archived: 2026-04-05 16:11:03 UTC\r\nThreat actors are leveraging top tier cloud apps to host phishing baits. Netskope Threat Labs has identified an\r\nongoing O365 phishing campaign hosted in Google App Engine with the credential harvester mostly hosted in\r\nAzure App Service. This phishing campaign typically targets O365 users via phishing emails with a direct link or\r\nattachment. \r\nThe campaign started in late June 2020 and is still active today. Based on similarities in the phishing pages, we\r\nbelieve the same threat actor is responsible for generating more than 100 phishing pages and continues to add\r\nmore daily. These phishing pages and attack elements were hosted in different App Engine and Azure websites. At\r\nthe time of writing, more than 60% of the URLs we observed were active and not detected or blocked by security\r\nscanning services in popular browsers like Chrome and Firefox. \r\nOur earlier posts Phishing in the public cloud: You’ve been served and Amazon themed Phish hosted in Azure\r\nSites detailed phishing attacks that used Azure Websites to serve up parts of the attack. This ongoing campaign\r\nindicates that threat actors are continuing to use cloud services to launch phishing attacks at scale from widely\r\nused cloud services, making it harder for users to recognize and vendors to detect, block, or take down. \r\nThis blog post details our analysis of this campaign and provides recommendations to help protect you and your\r\norganization from falling victim to similar phishing campaigns.\r\nAppspot.com – Phishing baits\r\nGoogle App Engine is a Google Cloud Platform (GCP) service for developing and hosting web applications. App\r\nEngine allows you to serve SSL (HTTPS) traffic through your appspot.com domain, https://\u003capp\u003e.r.appspot.com.\r\nUsers tend to place trust in websites that are hosted by top-tier vendors like Google. Threat actors are exploiting\r\nthis trust by hosting phishing baits in Google services as shown in Figure 1.\r\nhttps://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service\r\nPage 1 of 15\n\nFigure 1: Phishing page hosted in appspot.com\r\nAnalysis of the phishing campaign\r\nThe attack starts with a bitly link shortener link, https://bitly[.]com/33nMLkZ, generally distributed via phishing\r\nemails that redirect to https://o365apps[.]oa.r.appspot.com as shown in Figure 2.\r\nFigure 2: bitly URL shortener\r\nWhen visiting the bait, the victim is presented with a phished page hosted in appspot.com to enter the credentials\r\nas shown in Figure 3.\r\nhttps://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service\r\nPage 2 of 15\n\nFigure 3: Phished page hosted in appspot.com\r\nUpon entering the email and password, the victim is presented with a fake message that the account and password\r\nare incorrect as shown in Figure 4.\r\nhttps://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service\r\nPage 3 of 15\n\nFigure 4: Phished page displaying a fake message that the account or password is incorrect\r\nThe victim’s credentials are then sent to the page, ‘handler.php’ hosted in july-28[.].azurewebsites[.]net as shown\r\nin Figure 5.\r\nhttps://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service\r\nPage 4 of 15\n\nFigure 5: Snippet of the victim’s credentials hosted in july-28[.].azurewebsites[.]net\r\nThe packet capture illustrating this credential theft action is shown in Figure 6.\r\nhttps://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service\r\nPage 5 of 15\n\nFigure 6: Packet capture of the credential theft\r\nPhishing campaign\r\nUsing NSIQ, Netskope’s in-house threat intelligence hub, we were able to identify multiple O365-themed\r\nphishing pages using appspot.com. Starting in late June, we observed 110 unique bait URLs and 72 credential\r\nhosting URLs related to this campaign. We identified that the threat actor tried using several domains to host the\r\ncredentials as shown in Figure 7.\r\nhttps://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service\r\nPage 6 of 15\n\nFigure 7: Credential hosted domains\r\nThe above figure clearly shows that the threat actor has mostly used Azure App Service to host the credential\r\nharvester at azurewebistes.net. It appears the attacker tried out multiple different options to serve the credential\r\nharvester and chose to use Azure App Service on an ongoing basis, likely because of its ease of use and Microsoft-issued SSL certs. That we continue to see new subdomains appear daily on both Azure App Service and Google\r\nApp engine indicates that the attacker is having success on both of these platforms.\r\nConclusion\r\nThis post described a phishing campaign that used appspot.com and azurewebsites.net for hosting the phishing\r\nbaits and attack elements. We would recommend users to not enter their credentials from unknown websites and\r\nhyperlinks even if the website is from a trusted domain. Users can recognize a phishing site based on the domain,\r\nwhich indicates that it is in App Engine appspot.com, and not an official Microsoft website. Enterprises should\r\neducate their users to recognize AWS, Azure, and GCP object store URLs, so they can discern phishing sites from\r\nofficial sites. Netskope reported the phishing sites to Google and Microsoft Security teams on August 10, 2020.\r\nIOCs\r\nhttps://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service\r\nPage 7 of 15\n\np3lll0plprd.el.r.appspot.com\r\nxxddfete.nw.r.appspot.com\r\neyettrttr.wn.r.appspot.com\r\nlogin-microsoft-office365.df.r.appspot.com\r\nsodium-ceremony-277916.dt.r.appspot.com\r\nvp35yvpvyup.el.r.appspot.com\r\nofficeeev2.ew.r.appspot.com\r\ntlook-off365-signin.el.r.appspot.com\r\nmicrosoft-account-security.oa.r.appspot.com\r\nuserpodium.et.r.appspot.com\r\ngolden-pointer-281517.nw.r.appspot.com\r\ncivic-depth-281113.oa.r.appspot.com\r\nuser7770001255.el.r.appspot.com\r\nvbf9iuherwiu.wl.r.appspot.com\r\nuserc9fo9ffzo.el.r.appspot.com\r\naccount-security-6581a.el.r.appspot.com\r\nesoteric-mote-284316.uc.r.appspot.com\r\nofficecloudapps.ey.r.appspot.com\r\noutlook-office365-signin.el.r.appspot.com\r\ne710z0ear.du.r.appspot.com\r\nuser7383493930.et.r.appspot.com\r\nxh36954689734987348098.el.r.appspot.com\r\ncp0c7pc.du.r.appspot.com\r\nppypcc11crp.appspot.com\r\nuser67509874097802.el.r.appspot.com\r\nsharepoint-secure-online.df.r.appspot.com\r\nhttps://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service\r\nPage 8 of 15\n\nkey-acronym-281808.et.r.appspot.com\r\nkeen-sight-280309.nw.r.appspot.com\r\nlogin-microsoft-online-secure.nw.r.appspot.com\r\nlogin-microsoft-outlook.el.r.appspot.com\r\nx394uirjomokf30.wm.r.appspot.com\r\nd48dkduy4mnnxh.du.r.appspot.com\r\nriqri733r.ts.r.appspot.com\r\nmicrosoftaccountsecurityportal.wl.r.appspot.com\r\nmlcrosoft-0nedrive-portal.el.r.appspot.com\r\nsecure-login-microsoftonline.oa.r.appspot.com\r\narched-elixir-280012.nw.r.appspot.com\r\noutlook-0ffice365-0nline.nw.r.appspot.com\r\nuser7774398409.el.r.appspot.com\r\nmicrosoft-secure-online.oa.r.appspot.com\r\nd91ddd0c.el.r.appspot.com\r\nc0lbltclsp.el.r.appspot.com\r\nsapient-flare-279107.df.r.appspot.com\r\nr444r0r0uuser.du.r.appspot.com\r\nuser1238090.el.r.appspot.com\r\nlogin-microsoft-0nline.ts.r.appspot.com\r\nlogln-office365-0nline.wm.r.appspot.com\r\nmicrosov.oa.r.appspot.com\r\nuseryxijxui99.an.r.appspot.com\r\nsecureduser.du.r.appspot.com\r\nmy-project-1-6316.ue.r.appspot.com\r\nofficecloudapp.ey.r.appspot.com\r\nhttps://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service\r\nPage 9 of 15\n\nmicro-app-284821.appspot.com\r\ncompact-pier-280012.nw.r.appspot.com\r\nuser12746463989284.el.r.appspot.com\r\ncbu4397422nj.oa.r.appspot.com\r\nmm9pnpnjj.an.r.appspot.com\r\ndatasec.du.r.appspot.com\r\nuser379834709348-0.oa.r.appspot.com\r\nuserzixmessage.du.r.appspot.com\r\nsecure-microsoft-online.oa.r.appspot.com\r\njalonf129431.uc.r.appspot.com\r\nofficecloudweb.oa.r.appspot.com\r\nlogin-office365-microsoft.el.r.appspot.com\r\ny80yyxccn.df.r.appspot.com\r\nxh1643879264863098023.el.r.appspot.com\r\noffmenow20249.uc.r.appspot.com\r\nqnaqaaa08cowa.et.r.appspot.com\r\noutlook-webapp-portal.el.r.appspot.com\r\nlogln-micr0s0ft-0nline.ts.r.appspot.com\r\nuser983270932.oa.r.appspot.com\r\ncivil-campaign-279715.el.r.appspot.com\r\neliduhjner.dt.r.appspot.com\r\nqu10hh1qh.ts.r.appspot.com\r\ncorporate-onlinecloudfiles.df.r.appspot.com\r\nuser849494949.el.r.appspot.com\r\nlogin-outlook-office365.el.r.appspot.com\r\nuser9765656787.et.r.appspot.com\r\nhttps://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service\r\nPage 10 of 15\n\noffice365-login-outlook.el.r.appspot.com\r\nsharedpont77wwjxjx.df.r.appspot.com\r\nxh1oiuej.oa.r.appspot.com\r\nsharepntonline.oa.r.appspot.com\r\npro645r.uk.r.appspot.com\r\noffice365-0nedrive-portal.el.r.appspot.com\r\nuser1246578909.el.r.appspot.com\r\nddccc-a8448.appspot.com\r\nsmartcloudfiles-2020.nw.r.appspot.com\r\nnn0p00n0.ts.r.appspot.com\r\noffice365-portal-verify.el.r.appspot.com\r\nlogin-offlce365-0utl00k.nn.r.appspot.com\r\nfbproject4df3409fkl342ef043.el.r.appspot.com\r\nxxxfoxwew.wn.r.appspot.com\r\no365apps.oa.r.appspot.com\r\nsecuremssgs.du.r.appspot.com\r\ncrsupp0p011ypp.appspot.com\r\nuuuiquiuroff.du.r.appspot.com\r\nonline-career-projects.ew.r.appspot.com\r\nb60xbxvsharedpoint.an.r.appspot.com\r\nf3jsffd3fosowa.ts.r.appspot.com\r\nintense-reason-280011.nw.r.appspot.com\r\nsecureuser00403034.du.r.appspot.com\r\nfy1i0cipn.et.r.appspot.com\r\nsecure-login-portal-outlook.el.r.appspot.com\r\nuser4567890.oa.r.appspot.com\r\nhttps://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service\r\nPage 11 of 15\n\nidfudupp.du.r.appspot.com\r\ngs68798094387.nw.r.appspot.com\r\noffice-mail-d-eliverys.el.r.appspot.com\r\nv550vcc5ishare-onlieporit.et.r.appspot.com\r\nhmmmchm8husers.du.r.appspot.co\r\ntluyc30tc.an.r.appspot.com\r\nuser23546576879809ip.dt.r.appspot.com\r\nsonarqberb.azurewebsites.net/handler3/handler.php\r\nh088n00hq.azurewebsites.net/handler.php\r\nffddfdd00cp.azurewebsites.net/handler.php\r\nofficecallapp.azurewebsites.net/res/handler.php\r\njust-storage.jp/7863473827382/handler.php\r\nnewonejj.azurewebsites.net/handler.php\r\nbambangherlandi.web.id/backup/handler.php\r\nncloudset.com/themes.php\r\nsonarquberb.azurewebsites.net/ceo/handler.php\r\nsonarqberb.azurewebsites.net/handler1/handler.php\r\n0977r90rz.azurewebsites.net/handler.php\r\n00q0h8hqaph.azurewebsites.net/handler.php\r\npwwebtraffic.com/themes.php\r\np720j70al2cp.azurewebsites.net/handler.php\r\nfud.azurewebsites.net/white/handler.php\r\ncol36543.azurewebsites.net/handler.php\r\ndfdgfgfggr.azurewebsites.net/handler.php\r\n9r9cz7r9rwa.azurewebsites.net/handler.php\r\nco2y552p2cp.azurewebsites.net/handler.php\r\nhttps://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service\r\nPage 12 of 15\n\ncapitandescargas.com/urus/handler.php\r\nsonarqberb.azurewebsites.net/newallusers/handler.php\r\nslepeghed.azurewebsites.net/handler.php\r\nc1oudhq.com/cryptome/themes.php\r\n701r10010ye.azurewebsites.net/handler.php\r\nsonarquberb.azurewebsites.net/1900/handler.php\r\nc1oudhq.com/onos/themes.php\r\nsdeedfr.azurewebsites.net/handler.php\r\nfud.azurewebsites.net/gs/handler.php\r\nsonarqberb.azurewebsites.net/ceolist/handler.php\r\nhddhvvfh0chp.azurewebsites.net/handler.php\r\n9hxs99qsq90.azurewebsites.net/handler.php\r\n47w4j4jx4c.azurewebsites.net/handler.php\r\n900h9fyy0.azurewebsites.net/handler.php\r\nzrae1110rcpff.azurewebsites.net/handler.php\r\nfud.azurewebsites.net/fud/handler.php\r\nsonarquberb.azurewebsites.net/ley/handler.php\r\nwww.imai-zei.net/22323231210/handler.php\r\nc1oudhq.com/wire/themes.php\r\n3q302n022ppc.azurewebsites.net/handler.php\r\nlecoless.azurewebsites.net/handler.php\r\nsp0drsphhcf.azurewebsites.net/handler.php\r\nwww.imai-zei.net/only1/handler.php\r\nsonarqberb.azurewebsites.net/handler2/handler.php\r\nwww.imai-zei.net/test/handler.php\r\nfud.azurewebsites.net/snow/handler.php\r\nhttps://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service\r\nPage 13 of 15\n\nsonarqberb.azurewebsites.net/allusersd1/handler.php\r\njlredes.com.br/well-known/handler.php\r\njust-storage.jp/0191919191919/handler.php\r\njust-storage.jp/83839839292/handler.php\r\nbtopensworld.com/page1/login.php\r\nwww.camperlife.jp/wp-includes/js/jcrop/handler.php\r\noticapenha.com.br/lord/handler.php\r\nc1oudhq.com/crypt/themes.php\r\nsonarqberb.azurewebsites.net/ausinew/handler.php\r\nsyeuijfy.azurewebsites.net/handler.php\r\nc1oudhq.com/kel/themes.php\r\np2npnpn00.azurewebsites.net/handler.php\r\nyinnyyn00p.azurewebsites.net/handler.php\r\nsonarqberb.azurewebsites.net/7262020/handler.php\r\njuly-28.azurewebsites.net/handler.php\r\nr7077hh1hc.azurewebsites.net/handler.php\r\nsteemneddone.azurewebsites.net/handler.php\r\ncgfsfdgffdfgedg.azurewebsites.net/handler.php\r\naccrocoroservices.azurewebsites.net/handler.php\r\nc1oudhq.com/aol/login.php\r\n90ddpp5rhub.azurewebsites.net/handler.php\r\nsonarqberb.azurewebsites.net/allusersd2/handler.php\r\ndeepakrajgiri.com/well-known/handler.php\r\nsonarqberb.azurewebsites.net/linkers4/handler.php\r\nn0n0iitiiphl.azurewebsites.net/handler.php\r\nff02fefifiop.azurewebsites.net/handler.php\r\nhttps://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service\r\nPage 14 of 15\n\nsdsfsfef.azurewebsites.net/handler.php\r\nSource: https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service\r\nhttps://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service" ], "report_names": [ "a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service" ], "threat_actors": [ { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d4ac28d1-66eb-4f2d-9f9b-a72394349fd0", "created_at": "2023-01-06T13:46:38.667954Z", "updated_at": "2026-04-10T02:00:03.061447Z", "deleted_at": null, "main_name": "APT4", "aliases": [ "PLA Navy", "MAVERICK PANDA", "BRONZE EDISON", "SODIUM", "Salmon Typhoon" ], "source_name": "MISPGALAXY:APT4", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337", "created_at": "2022-10-25T16:07:23.318008Z", "updated_at": "2026-04-10T02:00:04.539063Z", "deleted_at": null, "main_name": "APT 4", "aliases": [ "APT 4", "Bronze Edison", "Maverick Panda", "Salmon Typhoo", "Sodium", "Sykipot", "TG-0623", "Wisp Team" ], "source_name": "ETDA:APT 4", "tools": [ "Getkys", "Sykipot", "Wkysol", "XMRig" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434386, "ts_updated_at": 1775791847, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/64b0e71f3c911bbf012de78ed53b112332a5e388.pdf", "text": "https://archive.orkl.eu/64b0e71f3c911bbf012de78ed53b112332a5e388.txt", "img": "https://archive.orkl.eu/64b0e71f3c911bbf012de78ed53b112332a5e388.jpg" } }