In March 2025, a mid-market SaaS company we monitor watched their AWS bill jump from $14,000 to $310,000 in eleven days. No new product launch. No traffic spike. An attacker had stolen a developer’s session token from a stale browser tab, pivoted into their CI/CD pipeline, and spun up 4,200 GPU-backed instances across six regions to mine Monero. Forensics found the initial access broker had listed the credentials on a Russian-language forum for $180.
This is what cybercrime patterns targeting cloud infrastructure look like in 2025. Not Hollywood zero-days. Stolen tokens, abandoned IAM roles, and serverless functions repurposed faster than your CloudTrail alerts can fire.
The threat model shifted years ago. Most defenders haven’t caught up.
Why Cloud Became the Primary Hunting Ground
Corporate environments still absorb roughly 54% of all investigated incidents, but cloud services now make up the third most targeted environment at around 20% of cases — and that share is climbing every quarter. The math is obvious to anyone running a SOC. Cloud aggregates sensitive data, exposes it over the public internet by design, and lets attackers scale operations the same way legitimate engineers do: with an API call.
The shared responsibility model is the gift that keeps on giving for adversaries. Each cloud instance demands its own threat model. Each IAM role is its own attack surface. When a client onboards twenty SaaS vendors a quarter, every one of those OAuth grants is a new path into their environment — and most security teams never inventory them.
Static defenses don’t survive contact with elastic infrastructure. A container can spawn, exfiltrate, and terminate inside a six-minute window. Your weekly vulnerability scan will never see it.
The Identity Perimeter Is the Only Perimeter
Credential theft drives nearly every cloud breach I’ve investigated in the past eighteen months. Phishing, token hijacking, session hijacking — the techniques map cleanly to MITRE ATT&CK T1528 (Steal Application Access Token) and T1539 (Steal Web Session Cookie). What changed is the speed of monetization. Stolen tokens hit underground markets within hours. By the time the victim rotates the credential, three different threat actors have already used it.
Once inside, attackers hunt for secrets the way mushroom foragers hunt morels. Environment variables. Improperly scoped Secrets Manager entries. Instance metadata services (IMDSv1 is still alive in too many environments). Lambda function configurations with hardcoded API keys committed in 2022 and forgotten.
Five Cybercrime Patterns Dominating 2025
I’ll take the position now and defend it through the rest of this piece: if your detection program isn’t built around these five patterns, you are blind to the majority of real attacks happening in cloud environments right now.
1. Cloud Resource Hijacking for Attack Infrastructure
Adversaries stopped renting bulletproof hosting. Why pay when they can compromise yours?
The 2024 CloudHarvest campaign hijacked serverless functions across AWS Lambda, Azure Functions, and GCP Cloud Run to build a distributed C2 network. Each function had a legitimate-looking name, ran in a real tenant, and survived takedown attempts because shutting down the function meant disrupting the victim’s actual workloads. The operators rotated through hundreds of compromised tenants per week.
Detection requires baselining what your serverless workloads should do. Outbound connections from a Lambda that’s supposed to process S3 uploads but suddenly initiates 443 traffic to a residential IP block in Bulgaria — that’s the signal. Most teams don’t have flow logs enabled on Lambda at all.
2. Supply Chain Code Injection
Don’t attack the bank. Attack the company that paints the bank.
The DepRaider campaign in 2023 compromised the CI systems of open-source Python package maintainers, injecting malicious code into legitimate updates. The 2024-2025 wave moved upstream further — attackers now target the build runners themselves. A poisoned GitHub Actions workflow can mint tokens with permissions the package maintainer never knew existed.
One of our managed customers, a fintech with a heavy Terraform footprint, had a typosquatted provider sneak into their module registry. The provider exfiltrated state files containing RDS credentials on every terraform plan. We caught it because we pin every provider hash and run terraform providers lock with explicit checksums. Most shops don’t bother. Read the Terraform documentation on dependency lock files — then actually use them.
3. Misconfiguration Mining at Scale
This isn’t new. It’s just industrialized.
Public S3 buckets, permissive IAM roles, exposed Kubernetes dashboards, RDS instances with 0.0.0.0/0 ingress — attackers run continuous scans against the entire IPv4 space and every cloud provider’s published ranges. The time between accidentally making a bucket public and someone touching it is measured in minutes, not days.
The pattern shifted in 2025: criminals are now correlating misconfiguration scans with leaked credential databases. They don’t just find your open S3 bucket — they find your open S3 bucket and the leaked SSO password belonging to the engineer who created it. The chained access is what turns a low-severity finding into a full compromise.
4. Cascading Failure Through Interdependent APIs
The 2023 Cloudflare incident is still the cleanest case study. A vulnerability in a logging library let attackers pivot through interdependent services across thousands of organizations in under 48 hours. The blast radius wasn’t determined by the original vulnerability — it was determined by how many vendors trusted the compromised service implicitly.
Your IdP federates to your CSPM tool, which federates to your ticketing system, which federates to your code repo. Compromise one node and the attacker inherits the trust graph. This is why NIST’s Zero Trust Architecture (SP 800-207) isn’t a marketing term — it’s a survival document.
5. IoT and Edge as the New Soft Underbelly
Analysts project over 64 billion IoT devices deployed globally by 2026. Each one is a tiny Linux box, often unpatched, frequently exposing services its vendor forgot about. Attackers chain edge devices into entry points for the cloud workloads they connect to.
A client in industrial manufacturing had their entire OT environment compromised through a $80 smart thermostat in a satellite office. The thermostat phoned home to a vendor cloud service. That vendor cloud service shared a VPC peering connection with the client’s Azure tenant. Three hops, full domain admin.
What Actually Works: A Defender’s Counter-Pattern
I get asked constantly whether the answer is more tools. It isn’t. The answer is fewer tools used correctly, and discipline around four areas. Here’s the counter-pattern I push on every engagement.
Treat Identity Like a Firewall Rule
Every IAM policy should be auditable, version-controlled, and reviewed quarterly. Use Microsoft’s Entra ID Conditional Access (or AWS IAM Access Analyzer, or GCP Policy Analyzer) to find unused permissions and revoke them. The principle of least privilege fails when nobody enforces it after the initial deployment.
Rotate session tokens aggressively. Short TTLs on access tokens (15 minutes) and longer refresh tokens with binding to client certificates. This breaks the resale market for stolen credentials because by the time the buyer logs in, the token is dead.
Log Everything, Alert on Behavior
CloudTrail, Azure Activity Log, GCP Audit Logs — enable them across every account, every region, every service. Ship them to a SIEM that does behavioral baselining, not signature matching. The detection rule that catches CloudHarvest-style activity looks like: this Lambda function has never initiated an outbound connection to a non-AWS IP, and now it has. Signature rules can’t write that. Behavioral baselines can.
Pair this with proper process monitoring on your compute. The fundamentals from our writeup on Linux process management with ps, top, kill, and systemctl still apply — most cloud workloads are Linux, and most cloud attacks land in a shell at some point.
Encrypt and Manage Keys Like You Mean It
Customer-managed keys, not provider-managed keys, for anything sensitive. Separate the key administrators from the data administrators. We covered the operational details in our breakdown of encryption key management across AWS, Azure, and GCP, and the takeaway hasn’t changed: if your cloud provider can decrypt your data without your involvement, your encryption is mostly performative.
Back Up Like You Expect to Be Breached
Because you will be. Ransomware operators target cloud backups specifically — Veeam repositories, Azure Backup vaults, AWS Backup. If your backups live inside the same identity boundary as your production data, they will be encrypted alongside it.
One of our managed customers, a regional logistics firm, lost their entire Azure tenant to a ransomware crew in late 2024 — except the data we’d been replicating to an offsite NAS offsite backup environment isolated from their cloud identity. They were back online in 19 hours. The companies that didn’t have offsite, immutable backups in that same campaign paid an average of $2.4M or rebuilt from scratch.
For Microsoft 365 environments specifically, the native retention policies are not a backup strategy. We deploy dedicated Teams backup for every customer running M365 because Microsoft’s shared responsibility model explicitly does not include data recovery from malicious deletion or ransomware.
The Hard Caveats Nobody Wants to Hear
I’m going to lose readers with this section. Worth it.
First caveat: most of what you’ve been sold as “cloud security” by your CNAPP vendor is dashboard theater. Posture management tools are useful for inventory and compliance reporting. They are largely useless for detecting active intrusions. The attackers aren’t tripping CIS benchmark misconfigurations — they’re using stolen credentials to do exactly what those credentials are authorized to do.
Second caveat: cloud-native security tools have blind spots their vendors don’t advertise. AWS GuardDuty doesn’t see lateral movement inside a single account between services unless you specifically enable the corresponding feature tiers. Defender for Cloud’s recommendations queue gets ignored by 80% of teams within three months of deployment. Tooling buys you potential. Operations realizes it.
Third caveat: zero trust isn’t a product. It’s a posture that requires rewriting how your applications authenticate, how your data flows, and how your engineers do their jobs. Buying a ZTNA gateway and calling it done is exactly the wrong move. Read the NIST document, identify the gaps in your architecture, and prioritize ruthlessly.
Fourth caveat: if your team can’t tell me what every cross-tenant OAuth grant in your Microsoft 365 environment is for, you have a supply chain attack surface you can’t measure. Start there before you buy another tool.
Building Detection That Survives Contact With Reality
The detection engineering work that actually moves the needle is unglamorous. Cataloging what your workloads do. Writing rules that fire on deviations from normal. Tuning them weekly until your false positive rate is something a human can actually triage.
For the SaaS company I mentioned in the opening — the one that paid $310K for an unwanted crypto mining operation — the fix wasn’t expensive. We deployed three changes: short-lived session tokens with FIDO2 step-up for IAM changes, behavioral rules on EC2 RunInstances calls outside business hours, and a budget alert at $500/day per account. Total cost to implement: under two engineering weeks. Total cost of the incident: north of $400K when you include the IR engagement and the rebuild of their CI/CD pipeline.
The economics of defense favor preparation. The economics of cleanup favor nobody.
One Practical Takeaway
If you do one thing this quarter, do this: run a credential audit across every cloud account you operate. Find every long-lived access key, every service principal with permissions older than 90 days, every OAuth grant your users have approved on their own. Inventory it. Question every entry. Revoke aggressively.
The attackers are already enumerating these credentials. Find them before someone with worse intentions does.
If you want help building a detection program that actually maps to the cybercrime patterns targeting cloud infrastructure in 2025 — or if you need an outside set of eyes on your current setup — reach out to us. We’ve spent years inside breached cloud environments. We’d rather spend the next few inside yours before something goes wrong.
