The company’s 2026 Threat Report says attackers are increasingly using legitimate platforms such as Google Drive, Microsoft Teams and Amazon S3 to disguise malicious command-and-control traffic and evade traditional defenses.
Cloudflare is warning that cybercriminals and state-backed hackers are increasingly turning the internet’s most trusted business tools into cover for attacks, using legitimate cloud and collaboration services to hide malicious traffic in the ordinary flow of corporate activity.
In its 2026 Threat Report, the internet infrastructure and security company said attackers are exploiting platforms such as Google Drive, Microsoft Teams and Amazon S3 to mask command-and-control communications, the hidden channels used to direct malware, issue instructions to compromised systems and move through victim networks. The practice makes hostile activity harder to distinguish from routine enterprise traffic because the connections appear to involve services that companies already use and trust.
The finding underscores a major shift in cyber operations. Rather than relying only on obviously malicious servers, custom domains or suspicious infrastructure, attackers are moving into the same cloud ecosystems that power modern business. They are using file-sharing platforms, messaging tools, developer services and storage systems as camouflage. In Cloudflare’s framing, the threat is no longer only about outsiders breaking down the gate. Increasingly, it is about adversaries borrowing the badges of trusted services and logging in through paths that already exist.
That shift reflects the structure of today’s workplace. Companies have moved data, communication, identity management, software development and customer operations into cloud-based platforms. Employees routinely connect to dozens of services from many locations and devices. Security teams are expected to permit much of that traffic because blocking it would interrupt business. Attackers have noticed the same pattern and are exploiting it.
Cloudflare described the tactic as a form of “living off the land,” expanded for the cloud era. The older version of that approach involved attackers using built-in tools inside a victim’s environment, such as administrative utilities, scripting engines or remote access functions, to avoid detection. The newer version extends the idea outward. Hackers can use legitimate software-as-a-service, infrastructure-as-a-service and platform-as-a-service products to host payloads, redirect victims, manage stolen data or relay instructions.
The danger is not that Google Drive, Microsoft Teams or Amazon S3 are inherently malicious. They are widely used services that support normal business. That is precisely why they are attractive to attackers. A connection to an unfamiliar command server may trigger an alert. A connection to a trusted cloud provider may not. In a large enterprise, where millions of legitimate requests pass through networks each day, malicious traffic can become one more signal in the noise.
For defenders, the challenge is profound. Traditional security tools often lean on reputation, known bad indicators and blocked lists of malicious infrastructure. But when attackers route activity through reputable services, reputation alone becomes a weaker signal. Security teams must examine behavior, identity, context, permissions and timing rather than relying on the assumption that a familiar platform is safe.
Cloudflare said its researchers observed a broader move from “breaking in” to “logging in.” That means attackers are increasingly focused on credentials, tokens, cloud permissions and trusted integrations. Stolen session tokens can allow attackers to bypass some forms of multifactor authentication. Over-privileged software connections can turn a single compromised integration into a pathway across multiple business systems. Phishing campaigns can use high-reputation domains to appear less suspicious to filters and users.
The report also highlights how artificial intelligence is changing the economics of cybercrime. AI tools can help attackers write convincing messages, map environments, generate code, translate lures, impersonate identities and move faster through unfamiliar systems. Cloudflare’s warning is not that AI alone creates new threats, but that it lowers the cost and skill required to carry out effective operations. In that environment, attackers do not always need novel malware or elite technical sophistication. They need access, automation and a way to blend in.
The cloud-abuse trend is especially worrying because it affects both criminal and state-linked operations. Criminal groups can use trusted platforms to distribute malware, steal credentials or manage extortion schemes. State-backed actors can use similar methods for espionage, pre-positioning and long-term access. In either case, the goal is the same: reduce friction, avoid detection and make malicious activity look ordinary.
Cloudflare’s report names several examples of how such tactics can work. Attackers may use cloud storage to host malware payloads. They may use collaboration platforms to move links and files across organizations. They may use developer tools or public repositories for covert communication. They may use calendar entries, paste sites, web apps or file-sharing links as dead drops, allowing infected machines to retrieve instructions without contacting a visibly suspicious server.
This does not mean every enterprise should suddenly block major cloud platforms. For most organizations, that would be impractical and damaging. The lesson is more subtle. Security teams need to treat trusted services as environments that can be abused, not as automatically safe destinations. They need to monitor who is accessing them, what data is moving, which permissions have been granted and whether behavior matches the user’s normal pattern.
Identity has become the center of the fight. A valid login from an unusual location, a session token used after a suspicious event, a service account touching data it never accessed before, or an employee account suddenly creating new forwarding rules may matter more than a malware signature. The attacker’s objective is to inherit trust. The defender’s task is to verify whether that trust is deserved at every step.
The report also points to a broader weakness in how modern companies connect software. Businesses increasingly depend on third-party applications, automated workflows and application programming interfaces. These links make work faster, but they also expand the blast radius when one connection is compromised. A single over-permissioned integration can expose data across departments or tenants, especially if security teams do not know exactly what access has been granted.
For executives, the Cloudflare warning turns cybersecurity into a governance issue as much as a technical one. Companies need inventories of cloud services, visibility into SaaS permissions, stronger controls around tokens and service accounts, and clearer rules for third-party integrations. They also need faster detection systems that can spot abnormal behavior across identity, email, network and application layers.
For employees, the message is simpler but no less important. A link hosted on a familiar service is not automatically safe. A file shared through a trusted platform can still be malicious. A message in a collaboration tool can still be part of a social-engineering campaign. The cloud has made work more convenient, but it has also given attackers more believable ways to approach victims.
Cloudflare’s report arrives as businesses face an expanding threat landscape that includes record-scale distributed denial-of-service attacks, AI-assisted phishing, stolen credentials, deepfake identities and nation-state activity targeting critical infrastructure. The common thread is efficiency. Attackers are choosing methods that deliver the biggest operational impact for the least effort, and trusted cloud infrastructure gives them reach, credibility and concealment.
The defensive response will require more than blocking lists and perimeter firewalls. Organizations will need real-time intelligence, zero-trust access models, stricter authentication, continuous monitoring of cloud behavior and automated systems capable of responding at machine speed. The old boundary between inside and outside the network has weakened. What matters now is whether each action is legitimate, not merely whether it comes through a familiar service.
The report’s central warning is clear: the tools companies depend on can also become the tools attackers exploit. Google Drive, Microsoft Teams and Amazon S3 are not the enemy. Blind trust is. In the next phase of cyber conflict, the most dangerous traffic may not look dangerous at all. It may arrive wrapped in the ordinary language of modern work.
