Key Takeaways
- Legitimate infrastructure abuse is a phishing technique where attackers route malicious emails through trusted cloud email-sending platforms to inherit their pristine sender reputations.
- Because the infrastructure used is technically authorized, these advanced phishing campaigns routinely pass SPF, DKIM, and DMARC checks perfectly.
- Traditional secure email gateways miss these threats because they cannot block major cloud IP addresses without causing catastrophic false-positive rates for legitimate traffic.
- Threat actors fuel this attack class by purchasing stolen cloud platform API keys on cybercrime forums for as little as $15.
- While DMARC enforcement doesn’t outright block these attacks, continuous DMARC monitoring acts as an early warning system by flagging unexpected outbound volume anomalies.
Picture this: A phishing email lands right in a corporate inbox. The security gateway scans it and gives it a glowing review. Sender Policy Framework (SPF): pass. DomainKeys Identified Mail (DKIM): pass. Domain-based Message Authentication, Reporting, and Conformance (DMARC): pass. The email is highly malicious, yet it breezed past every single layer of defense. Why? Because it was sent through reputable cloud infrastructure that your email security tools already trust blindly.
This strategy is known as infrastructure abuse, or “living off the land” for email phishing. Instead of setting up sketchy, short-lived domains, attackers are routing their campaigns through established, high-reputation cloud email-sending platforms.
It is a huge trend. The Cloudflare 2026 Threat Report highlights cloud email platforms as heavily exploited vectors for sophisticated phishing and malware distribution and notes that nation-state actors are actively integrating this technique into their playbooks. Security researchers at Kaspersky also tracked a sustained, heavy uptick in phishing sent via major cloud infrastructure starting in January 2026.
What Is Legitimate Infrastructure Abuse?
Legitimate infrastructure abuse is the practice of routing phishing campaigns through established, reputable cloud email-sending platforms rather than purpose-built attacker infrastructure. In the world of endpoint security, “living off the land” means hackers use native, trusted system tools like PowerShell to execute attacks rather than installing obvious malware. It makes detection incredibly difficult because the tool itself belongs there. Legitimate infrastructure abuse applies that exact same logic to email delivery.
Instead of buying a typo-squatted domain or spinning up a dedicated malicious mail server, scammers compromise or rent space on established cloud transactional email platforms. Platforms like Amazon SES, SendGrid, and Mailjet are frequently targeted, not because their internal security is weak, but because their pristine sender reputation is an attacker’s ultimate asset.
Threat actors typically gain access via two primary methods:
- Credential and API Key Theft: Attackers steal or buy legitimate API keys and account credentials for existing cloud email accounts. According to Abnormal AI, these are routinely traded on cybercrime forums for as little as $15.
- Compromised Sending Domains: Attackers compromise an existing business domain that already has a cloud Email Service Provider (ESP) configured as an authorized sender, inherited straight from years of built-up sender reputation.
Why Email Authentication Doesn’t Stop It
The Authentication Gap
Protocols like SPF, DKIM, and DMARC were built to answer one fundamental question: Is this email coming from an authorized sender for this domain? When an attacker hijacks a legitimate cloud account or exploits a domain’s authorized ESP configuration, the technical answer is a resounding yes.
The email passes SPF because the cloud provider’s IP is explicitly listed in the domain’s SPF record. It passes DKIM because the platform signs the message with the domain’s proper cryptographic key. Finally, DMARC passes because both protocols align perfectly.
This is not a bug or a flaw in DMARC. The protocols are doing exactly what they were designed to do. The problem is that verifying whether a sender is authorized is completely different from verifying whether the account is still under the actual domain owner’s control.
Why IP Reputation Blocking Fails
Traditional security tools rely heavily on IP reputation scores. If an IP sends spam, it gets blocked. But against infrastructure abuse, this approach completely collapses.
The sending IP addresses belong to massive cloud providers handling billions of legitimate corporate emails every single day. If a Secure Email Gateway (SEG) blocks those IP ranges to stop a phishing campaign, it would trigger catastrophic false-positive rates and block important business emails across thousands of unrelated companies. The attacker hides inside a massive, trusted crowd.
Why Secure Email Gateways Miss It
Most SEGs evaluate inbound mail based on domain age, known malicious links, and attachment signatures. In these attacks, the sending domain is clean, the reputation is spotless, and the authentication score is a perfect 100%.
Furthermore, attackers neutralize link scanners by leveraging open redirect phishing techniques built into the ESPs themselves. They use the platform’s native click-tracking URLs, which are universally allowlisted by email gateways. The gateway scans the highly trusted tracking link and lets the message through; the malicious destination is only triggered via a redirect at the exact moment the user clicks the link.
In other variations, scammers bypass URL scanning entirely by sending no-link Business Email Compromise (BEC) lures. They attach clean PDFs containing flat payment details or insert forged email threads about invoice modifications and rely on social engineering wrapped inside an authenticated email.
What Legitimate Infrastructure Abuse Looks Like in Practice
In the wild, these campaigns rely on highly urgent, high-trust lures. Common angles include fake e-signature notifications impersonating platforms like DocuSign, urgent account security alerts, and invoice fraud targeting accounting departments.
The fuel for these attacks comes directly from poor credential hygiene. Hackers routinely harvest API keys from exposed AWS Identity and Access Management (IAM) configurations in public GitHub repositories or accidentally committed .env files.
When everything aligns, the results are startling. A real-world incident documented by IRONSCALES in April 2026 highlighted a phishing email that registered a perfect Microsoft composite authentication score of 100 out of 100. It impersonated a widely used project management tool and passed SPF, DKIM, and DMARC flawlessly because it was sent out through a compromised domain’s legitimate cloud ESP configuration.
Inbound Message: Authentication Results
| Authentication Check / Metric | Status / Score | Result Verdict |
|---|---|---|
| SPF (Sender Policy Framework) | PASS | Authorized |
| DKIM (DomainKeys Identified Mail) | PASS | Authorized |
| DMARC (Domain-based Message Authentication) | PASS | Aligned & Authorized |
| Microsoft Composite Authentication Score | 100 / 100 | Perfect Trust Score |
Core Finding: Authenticated, but not legitimate. (Based on an incident documented by IRONSCALES, April 2026).
What Actually Helps: A Realistic Defense
To be completely blunt: no single tool stops this attack class entirely. Anyone claiming that DMARC alone can automatically block infrastructure abuse is overpromising. However, a multi-layered, realistic approach cuts your risk down significantly.
1. DMARC Monitoring: Your Early Warning System
While an authenticated phishing email will pass validation, DMARC aggregate reports (RUA) provide total visibility into your outbound ecosystem. If a threat actor steals your API keys and begins routing spam through a cloud platform using your domain, that massive spike in volume will instantly show up in your reports.
Regularly reviewing DMARC reports (RUA) allows you to spot unauthorized infrastructure use early, before widespread reputational damage occurs. For teams that want automated detection, the PowerDMARC DMARC Analyzer provides continuous monitoring and real-time anomaly alerts to flag unexpected sending sources the second they appear.
2. DMARC Enforcement: Protect Your Domain Outbound
Setting your DMARC policy to p=reject ensures that if an attacker attempts to spoof your domain through unauthorized channels outside of your approved cloud infrastructure, the messages are blocked outright. Furthermore, aggressive enforcement makes your domain a much harder target. Scammers looking for easy infrastructure abuse vectors prefer softer targets running on a weak p=none policy.
3. ESP Credential Security: Close the Entry Point
The most direct credential phishing prevention strategy is protecting the keys to your sending infrastructure.
- Enforce multi-factor authentication (MFA) across all ESP administrator accounts.
- Use tightly scoped API keys restricted to the minimum required permissions.
- Rotate production API keys regularly.
- Implement automated code scanning to ensure secrets are never committed to public repositories.
- Audit your ESP usage dashboards weekly for unusual volume spikes or unknown sender configurations.
4. Behavioral Email Security
Because traditional gateways fail against trusted infrastructure, you need an integrated cloud email security (ICES) layer. AI-driven behavioral security tools analyze context rather than just reputation. They look at communication history, typical sending volumes, and language patterns. If a fully authenticated account suddenly sends an anomalous invoice request to an unusual recipient, behavioral tools can flag and quarantine it.
5. Focused User Awareness Training
If a phishing email passes every technical validation check, it comes down to human defense. Employees must be trained to recognize that an email with perfect branding, a clean sender address, and zero technical warnings can still be a trap if the underlying account was hijacked.
Teach your team to independently verify any sudden payment instruction or account changes through a secondary, out-of-band communication channel (like a quick phone call). They should also closely inspect final browser landing pages before entering credentials, regardless of how safe the initial email link appeared.
Last but not least, the employees can simply use a Phishing Email Checker to get instant threat analysis. All they need to do is to paste the complete email source, including headers, to check authentication records, sender signals, suspicious links, urgency patterns, and more.
Final Words
The corporate threat model has fundamentally shifted. Modern advanced phishing no longer relies on poorly formatted emails sent from random, suspicious domains. With legitimate infrastructure abuse, attackers are actively riding the coattails of the cloud services we use and trust every day, exploiting the gap between sender authorization and true identity control.
Your defense strategy must adapt to match this reality. While authentication protocols alone won’t solve the problem, keeping a strict eye on your environment changes the game entirely.
Secure Your Email Ecosystem Today: Want to find out exactly who is sending mail on behalf of your brand? Take control of your perimeter and get real-time alerts on unexpected sending behavior with the PowerDMARC DMARC Analyzer.
Frequently Asked Questions
If an email passes SPF, DKIM, and DMARC, why does my security gateway still let it through?
Because security gateways are trained to trust those exact protocols. When an email hits a perfect “pass” on all three, the gateway thinks it’s dealing with a legitimate, authorized communication from the domain owner. Gateways check if the infrastructure is allowed to send the mail, not who is sitting behind the keyboard typing it.
Does this mean DMARC is broken or useless?
Not at all. DMARC is doing exactly what we designed it to do: stopping random bad guys from spoofing your domain name out of thin air. It can’t tell if an attacker bought a stolen API key or hijacked your actual cloud account. Think of DMARC like a high-tech deadbolt: it works perfectly, unless the robber steals your actual house keys.
Why can’t we just block the IP addresses sending these phishing emails?
Because those IP addresses belong to massive, legitimate services like Amazon SES or SendGrid. Millions of regular, safe business emails (like receipts, flight confirmations, and password resets) flow through those exact same IPs every single day. If you block the IP range, you block the good traffic along with the bad.
How do hackers obtain these cloud email platform credentials?
Usually, it comes down to simple human mistakes. Developers sometimes accidentally leave API keys exposed in public GitHub repositories or commit files like .env containing raw login details. Other times, threat actors simply buy leaked, valid credentials on cybercrime forums for pocket change, often as cheap as $15.
Can user awareness training actually help if the technical filters fail?
Yes, but you have to change how you train people. Traditional training tells users to look for “red flags” like fake-looking email addresses or broken authentication metrics. With infrastructure abuse, those red flags aren’t there. Training needs to focus on behavioral checkpoints, like picking up the phone to verify any sudden, out-of-band request for money or sensitive account updates, no matter how clean the email looks.
