Full Report
Most cyberattacks today don’t start with loud alarms or broken firewalls. They start quietly—inside tools and websites your business already trusts. It’s called “Living Off Trusted Sites” (LOTS)—and it’s the new favorite strategy of modern attackers. Instead of breaking in, they blend in. Hackers are using well-known platforms like Google, Microsoft, Dropbox, and Slack as launchpads. They hide
Analysis Summary
# Tool/Technique: Living Off Trusted Sites (LOTS) Attacks
## Overview
LOTS (Living Off Trusted Sites) is an adversarial strategy where attackers blend malicious activity into routine, legitimate network traffic originating from or passing through platforms and services that organizations inherently trust. The goal is to evade detection by bypassing traditional security measures that look for known malware signatures or anomalous external connections, as the activity appears to originate from a trusted source.
## Technical Details
- Type: Technique
- Platform: Cloud services, SaaS applications, collaboration tools (e.g., Google, Microsoft, Dropbox, Slack, Teams, Zoom, GitHub)
- Capabilities: Hiding malicious code/payloads within legitimate service traffic; bypassing signature-based detection; utilizing trusted infrastructure for command and control or payload hosting.
- First Seen: Described as the "new favorite strategy of modern attackers" (context implies recent prominence).
## MITRE ATT&CK Mapping
As LOTS is a broad methodology focusing on evasion via trusted channels, it maps to several overarching tactics involving the misuse of legitimate systems:
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1070 - Indicator Removal on Host
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Leveraging legitimate service protocols)
*(Note: Specific T-numbers are inferred based on the nature of hiding within trusted services, as the article does not provide granular ATT&CK mapping.)*
## Functionality
### Core Capabilities
- **Blending In:** Embedding malicious components within traffic generated by common business tools (SaaS apps, cloud platforms).
- **Bypassing Traditional Defenses:** Avoiding detection mechanisms that rely on looking for suspicious binaries or unauthorized IP addresses, as the traffic is legitimate.
- **Payload Hosting/Redirection:** Utilizing trusted cloud services to host payloads or short/vanity URLs that redirect users to malicious content.
### Advanced Features
- **Exploiting Trust:** Actively leveraging the implicit trust organizations place in major platforms (Google, Microsoft, Dropbox, Slack, Teams, Zoom, GitHub) as launchpads.
- **Stealthy Operation:** Operating "quietly" inside tools, making detection challenging until execution or impact occurs.
## Indicators of Compromise
- File Hashes: N/A (Focus is on traffic/behavior, not specific local malware signatures)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Suspicious usage patterns within traffic flowing to or from trusted vendors (e.g., abnormal payload sizes, out-of-band communication patterns disguised as normal API calls or service interactions).
- Behavioral Indicators: Unusual sequences of actions within collaborative tools (e.g., file sharing patterns, command execution via integrated bots, or unexpected redirection via shortened links).
## Associated Threat Actors
- Modern attackers (general term used in the article, suggesting widespread adoption by current threat groups).
## Detection Methods
- Signature-based detection: Ineffective against the core LOTS methodology.
- Behavioral detection: Crucial for catching activity hidden within legitimate traffic.
- YARA rules: N/A (Not explicitly mentioned)
## Mitigation Strategies
- **Threat Hunting:** Proactively searching for stealthy attackers hiding inside "normal" traffic.
- **Improved Detection:** Implementing security strategies specifically designed to monitor and analyze traffic patterns within trusted SaaS applications and cloud services.
- **Reducing False Positives:** Refining security alerts to focus on meaningful deviations within legitimate channels.
## Related Tools/Techniques
- Abusing legitimate cloud services for command and control or phishing.
- Living off the Land (LOTL) Binaries.
- Trusted Cloud Service Exploitation.