SaaS Platform Abuse: Phishing on the Trusted Cloud

SaaS platform phishing abuse is a technique where cybercriminals host credential-harvesting pages and malware payloads directly on trusted cloud infrastructure. By deploying forms, slides, documents, or websites on domains like google.com, notion.so, sharepoint.com, and canva.site, attackers exploit the inherent domain reputation of these technology giants. Since secure email gateways cannot easily block these services without disrupting legitimate business, these malicious links bypass filtering systems and reach user inboxes.

The digital landscape of 2026 has witnessed a fundamental shift in how phishing campaigns are hosted. In the past, threat actors purchased cheap, look-alike domains and set up standalone servers to run their scams. This approach had a glaring vulnerability: security scanners could quickly detect these newly registered domains, flag their lack of reputation history, and block them site-wide. To survive, cybercriminals had to find a way to make their malicious destinations look entirely legitimate.

The solution they found is known as SaaS platform abuse, also called reputation hijacking. Instead of building their own digital houses, attackers are moving in as tenants on the secure cloud networks of major software giants. By hosting their credential harvesting pages on platforms that are essential to daily business operations, they force secure email gateways into an impossible choice: block the phishing page and break business productivity, or let the trusted domain through and risk user compromise.

Here is a comprehensive breakdown of how SaaS platform abuse works, why security gateways struggle to stop it, and how you can spot these trusted-cloud threats.

The Reputation Hijacking Strategy

To understand why this technique is so effective, you must look at how modern email filtering systems decide what is safe. When an email arrives at a corporate inbox, the Secure Email Gateway (SEG) analyzes every link in the message body. It evaluates factors like domain age, SSL certificate validity, and the overall web reputation of the hosting domain.

If a link points to a domain like notion.so or sharepoint.com, the security scanner sees a domain registered years ago, backed by multi-billion dollar enterprises, and trusted by millions of users daily. The gateway assigns a high-trust rating to the link and routes the email directly to the user’s inbox.

By using these platforms, attackers leverage what security analysts call a “shield of legitimacy.” They do not need to build trust; they simply borrow it. This represents a significant challenge for security teams: they cannot block the root domain because their own employees rely on Notion for documentation, SharePoint for collaboration, and Google Forms for feedback. Blocking the host domain would bring standard business communications to a halt.

Deep Dive: The Targets of SaaS Abuse

Cybercriminals have adapted their tactics to exploit the specific features of various cloud platforms. While any service that allows user-generated content is vulnerable, four platforms are abused with the highest frequency in modern phishing campaigns.

1. Microsoft SharePoint and OneDrive

Microsoft’s cloud suite is the central nervous system of the modern corporate workplace. This makes it the absolute primary target for credential harvesting scams.

In a typical SharePoint exploit, the victim receives an email claiming that a colleague has shared an urgent contract, invoice, or employee benefit update. The link in the email does not lead to a spoofed login page; it leads to a genuine, authenticated SharePoint document or presentation. Because the document is hosted on Microsoft’s own servers, the email gateway passes it with no hesitation.

When the victim clicks the link, they open a real SharePoint file. Inside that document, however, sits a large button or link: “Click here to view secure document.” That second link is the actual trap, redirecting the user out of the Microsoft ecosystem to an external credential-harvesting page. By inserting a legitimate SharePoint file as a middle-man, the attacker keeps the initial link in the email completely clean, bypassing sandbox scanners that only inspect the first layer of redirects.

2. Google Forms and Google Slides

Google Forms was designed to make surveys and data gathering simple. Scammers, however, use it as a pre-built backend for credential collection.

Instead of writing custom code to validate and save stolen passwords, attackers construct forms that mimic login screens or account verification portals. When a user submits their email and password into the form, Google’s infrastructure processes the request and saves the data directly to the attacker’s Google Sheet.

Google Slides is similarly abused to host “lure pages.” Attackers create slides that look like software update alerts or document viewer panels, embedding links to malicious downloads inside the slides. Because the host domain is docs.google.com, the links sail past security gateways.

3. Notion

Notion’s flexible, markdown-based workspace has made it a favorite for startups and developers. It has also become a favorite for phishing campaigns.

Attackers use Notion to build clean, minimalist landing pages that look like official corporate portals. Since Notion allows anyone to publish a page to the web with a single click, scammers can programmatically generate thousands of distinct decoy URLs on the notion.so domain. These pages often feature fake “PDF download” buttons that lead to session hijacking sites or redirect chains.

4. Canva

Canva’s free website builder is an incredibly powerful tool for small businesses. Unfortunately, it is also a powerful tool for scammers.

Attackers use Canva’s drag-and-drop builder to construct polished, visual phishing pages that impersonate brands like DHL, FedEx, or DocuSign. Because Canva hosts these pages on subdomains like my.canva.site, they benefit from Canva’s established domain authority. The pages look professional, load instantly, and carry valid SSL certificates, checking every box that standard security tools look for to verify site safety.

Why Secure Email Gateways Fail to Block Cloud Phishing

Traditional secure email gateways are designed to catch static threats. They scan for known malicious links, watch for bad IP reputations, and analyze basic email structures. SaaS platform abuse exploits the core architecture of these scanning systems in three ways:

• Failure of Flat Domain Blocking: Blocking a sub-page on a trusted domain requires blocking the exact path (e.g. notion.so/workspace/malicious-page). If the scanner does not inspect the full URL path, or if the attacker uses URL redirects to obscure the path, the scanner defaults to evaluating the root domain, which is marked as safe.
• Dynamic and Gated Content: Many cloud documents are behind login portals or require specific session cookies to render. When a security gateway attempts to visit the link in its sandbox, it might see a blank page or a generic login prompt, causing it to mark the link as clean. When a real user clicks it, their browser’s active cookies are processed, delivering the malicious payload.
• Polymorphic Generation: Because cloud platforms offer APIs and templates, attackers can automate the creation of new landing pages in real-time. If one page gets flagged, a script instantly generates a fresh page on a new path, making static blacklist databases useless.

Spotting SaaS Hosting Exploits: What to Look For

Since you cannot rely on automated filters to block these links, the responsibility falls on human verification. Defending against cloud phishing requires looking past the brand of the domain and inspecting the actual content of the page.

• Analyze the Domain-to-Content Match: Ask yourself: Why would Microsoft, FedEx, or your bank host an official communication on a free Notion page or a Google Form? Real organizations do not host account recovery portals on Canva sites or SharePoint slides. If the domain is canva.site but the page claims to be a DHL delivery update, it is a scam.
• Look for the Interactive “Middle-Man”: Be highly suspicious of emails that direct you to a document (a PDF, slide, or Word file) that does nothing but contain a single link to another website. This layering is designed specifically to hide the final destination from email checkers.
• Use Link Scanners Safely: Before entering any data on a page hosted on a cloud platform, verify where the links inside that page lead. You can copy the link address and use PhishPond.io to trace the redirection paths. Our Link Scout tool evaluates beyond the initial domain and follows the hops to highlight where the data actually goes. Understanding how to analyze these redirections is covered in detail in our guide on reading a redirect chain.

For non-technical users, building a habit of verifying links is the most reliable defense. If a page asks for your credentials but the browser address bar shows a free SaaS domain, stop. Navigate directly to the official website of the service provider by typing their address manually, and log in from there.

Sources and References

• CISA Threat Alert: Abuse of Legitimate Cloud and SaaS Services in Phishing Campaigns
• Microsoft Threat Intelligence: Detecting and Mitigating Illicit Consent and Cloud App Compromise
• Palo Alto Unit 42: The Rise of SaaS Platform Exploitation in Modern Malware Campaigns
• PhishPond Lab Report: How Threat Actors Use Trusted Domains to Evade Gateway Scanners

← All posts · Home