The company’s 2026 threat report says attackers are using platforms such as Google Drive, Microsoft Teams and Amazon S3 to disguise malicious command-and-control traffic as ordinary business activity.
SAN FRANCISCO, March 3 — Cyber attackers are increasingly turning legitimate cloud services into cover for espionage, fraud and malware operations, according to Cloudflare’s 2026 Threat Report, a shift that the company says is making traditional security tools less effective and forcing organizations to rethink how they judge trust inside their networks.
The report, released by Cloudflare’s Cloudforce One threat intelligence team, says threat actors are moving away from obvious malicious servers and instead routing parts of their operations through widely used enterprise platforms. Services such as Google Drive, Microsoft Teams and Amazon S3 can be used to mask command-and-control traffic, allowing attackers to blend into the same cloud ecosystems that companies rely on every day.
The tactic is not entirely new. Security teams have long described similar behavior as “living off the land,” a method in which attackers abuse trusted tools already present in a victim’s environment. Cloudflare argues that the practice has now expanded into what could be described as living off anything-as-a-service: using cloud storage, messaging systems, developer platforms and infrastructure services not only to hide malware traffic, but also to host payloads, redirect victims and scale campaigns.
That development poses a difficult problem for defenders. Blocking a suspicious server is relatively straightforward when the destination is unknown, newly registered or already associated with malicious activity. Blocking Google Drive, Teams, Amazon S3, Dropbox, GitHub or other major services is far more complicated because those platforms are deeply embedded in normal business workflows. A malicious connection can therefore appear, at first glance, to be a routine employee action.
Cloudflare’s warning reflects a broader change in cyber operations. The report says the era of brute-force compromise is giving way to what it calls high-trust exploitation, in which attackers seek the easiest route to operational success. Stolen credentials, active session tokens, trusted software integrations and reputable cloud infrastructure can deliver more value than complex custom malware or expensive zero-day vulnerabilities.
In that environment, the question facing companies is no longer simply whether an outsider can be kept out. It is whether an apparently legitimate user, application or cloud workflow should still be trusted once it is inside the network. The report says attackers are finding ways to “log in” rather than “break in,” undermining defenses that were designed around the assumption that authenticated access is safe.
Cloudflare said its findings were drawn from the company’s global network visibility and the work of Cloudforce One analysts, who examined threat actor behavior, network signals and attack patterns. The company said it blocks an average of 230 billion threats each day for customers, giving it a broad view of malicious traffic moving across the internet.
One of the most consequential findings is that command-and-control traffic is becoming harder to distinguish from ordinary enterprise communication. Command-and-control, often abbreviated as C2, refers to the channels attackers use to send instructions to compromised systems and receive data from them. In older campaigns, those channels often pointed to servers controlled directly by criminals. In newer campaigns, Cloudflare says, attackers may use trusted cloud services as relay points or hiding places.
Cloudflare’s report describes examples of groups using common platforms in different ways. Some actors have used cloud calendars or file-sharing systems to read and write encrypted instructions. Others have used developer tools, paste sites, hosted applications or cloud storage to rotate infrastructure, conceal malware delivery or make phishing pages look more legitimate. The common thread is that the attacker borrows the reputation of a trusted provider.
The report does not accuse major cloud providers of wrongdoing. Rather, it highlights the security dilemma created by the success of cloud computing itself. The same services that help companies collaborate, store files and deploy applications at scale can also give attackers a way to hide in plain sight. Because these platforms are reliable, encrypted and commonly allowed through corporate firewalls, they can become attractive infrastructure for hostile operations.
Artificial intelligence is intensifying the problem. Cloudflare says threat actors are using generative AI to map networks, develop exploits and create deepfakes. AI can lower the technical barrier for criminals and speed up reconnaissance, allowing lower-skilled actors to perform tasks that once required more specialized knowledge. For defenders, the concern is not only that attacks are becoming more sophisticated, but that they are becoming faster and easier to repeat.
The report also points to over-privileged software-as-a-service integrations as a growing source of risk. Many companies connect cloud applications through APIs that allow data to move between sales, support, analytics, identity and productivity systems. If one integration is compromised, the damage can spread across multiple environments. Cloudflare says this connective tissue of modern enterprise software can turn a single exposed token or API permission into a broader breach.
Identity sits at the center of the threat model. Attackers who steal active session tokens may be able to bypass traditional multi-factor authentication because the system already sees the session as valid. That makes token theft particularly dangerous: the attacker does not always need a password, a one-time code or a fresh login challenge. Instead, the attacker can attempt to act as the user after authentication has already occurred.
The implications are significant for security teams that rely heavily on perimeter controls. Firewalls, blocklists and email filters remain important, but they may not be enough when malicious activity is routed through legitimate cloud platforms or performed with valid credentials. Cloudflare argues that organizations need real-time visibility, stronger identity controls and automated responses capable of acting faster than human analysts can manually investigate.
The company’s recommendations align with the wider shift toward zero-trust security. In practice, that means continuously verifying users, devices, applications and data flows rather than granting broad access after a single successful login. It also means reducing unnecessary privileges, monitoring SaaS-to-SaaS connections, inspecting unusual cloud usage patterns and treating trusted platforms as environments that still require scrutiny.
The report arrives at a time when businesses are more dependent than ever on cloud services. Hybrid work, outsourced software, cloud storage and third-party application ecosystems have expanded the number of places where sensitive data can move. Each connection can improve productivity, but each also creates another path that an attacker may try to exploit.
Cloudflare also warned that distributed denial-of-service attacks are reaching a scale that can exceed human response times. The company cited attacks reaching 31.4 terabits per second and said large botnets are forcing defenders toward automated mitigation. While DDoS attacks differ from stealthy cloud-based intrusion, both trends point to the same conclusion: attackers are using scale, speed and trusted infrastructure to overwhelm older defensive models.
For executives, the report carries a practical message. Cyber risk is no longer limited to unknown malware or suspicious overseas servers. It can arrive through a file-sharing link, a cloud-hosted login page, a compromised session, a third-party integration or a collaboration platform that employees use every day. That makes security a question of governance as much as technology: who has access, which applications are connected, what permissions they hold and how quickly abnormal behavior is detected.
Cloudflare’s assessment is likely to increase pressure on companies to audit cloud permissions and monitor the services they already trust. Security teams may need to distinguish between a genuine employee uploading a document to Google Drive and malware using the same service as a covert channel. They may need to detect when a Teams interaction is part of normal collaboration and when it is being used to conceal attacker traffic. Those distinctions are difficult, but the report suggests they are becoming essential.
The central warning is clear: attackers are no longer defined only by the malicious tools they build, but by the trusted systems they can exploit. In the cloud era, legitimacy itself has become part of the attack surface. For defenders, the challenge is to protect the convenience of modern platforms without allowing that trust to become a hiding place for adversaries.”””
