Sample Report Request Assessment
Research Note · Cloud & SaaS

Living off the Cloud
Modern persistence in Microsoft 365 & Google Workspace

Attackers no longer need to drop custom malware to maintain leverage in an organization. In a cloud-first world, they can live entirely inside Microsoft 365, Google Workspace, and key SaaS platforms—using OAuth consent, automation, and misdesigned identity to stay resident long after “the incident” is considered closed.

M365 & Google Workspace tradecraft SaaS-native persistence paths Defender playbook implications

This note is written for security leaders and engineers who want a realistic model of how attackers live off the cloud—and what to do about it.

Executive summary

What “living off the cloud” actually means

“Living off the cloud” is the modern counterpart to “living off the land.” Instead of abusing built-in Windows binaries, attackers abuse built-in cloud capabilities: OAuth apps, automation, shared mailboxes, service accounts, and sprawling permissions. The result is persistence and leverage without obviously malicious binaries.

Key idea

Persistence is now an API problem

Long-lived access often comes from tokens, app registrations, and automation—not implants. Your true “agent footprint” is every entity that can act as a human or a system in M365, Workspace, and SaaS.

Implication

“Malware-free” intrusions are normal

Many impactful intrusions never deploy traditional malware. Investigations that stop at “we saw no malicious binaries” are dangerously incomplete in a cloud-first environment.

For defenders

Focus on who can act as whom

Instead of only scanning endpoints, you need a clear picture of which identities, apps, and automations can impersonate users, move data, or reconfigure security controls.

Phase 1

Entry: from one compromised account to real leverage

Most relevant stories still begin with something familiar: phishing, password reuse, or token theft. What’s different is what happens after that first foothold, especially in M365 and Workspace.

Microsoft 365

From mailbox to tenant

  • Phishing yields credentials or a session cookie for one user.
  • Attacker signs in from a plausible location/device to avoid instant suspicion.
  • They explore Outlook, Teams, SharePoint, and OneDrive to map business workflows.
  • They look for privileged users, shared mailboxes, and high-value distribution lists.
Google Workspace

From “just email” to all of Google

  • Account takeover is often assumed to only impact Gmail.
  • In reality, Drive, Docs, Sheets, Groups, Chat, and Apps Script become rich targets.
  • Domain-wide delegation and 3rd-party apps increase the blast radius significantly.
Common thread

Recon without malware

None of this requires custom tooling. Built-in search, audit trails, and directory views give attackers the reconnaissance they need, while blending into real user behavior.

Phase 2

Persistence: staying resident without implants

Once attackers understand who matters and which systems are critical, they shift from “do we have access?” to “how do we keep access if someone changes a password?”

Pattern

OAuth apps & delegated access

  • Register a new application or abuse an existing one.
  • Request scopes that allow reading mail, files, or directory data.
  • Leverage consent workflows (user or admin) to gain durable API access.
  • Use refresh tokens to outlive password changes or basic account resets.
Pattern

Automation as infrastructure

  • M365 Power Automate / Logic Apps, or Google Apps Script / AppSheet flows.
  • Rules that auto-forward mail, copy files, or push data to attacker-run endpoints.
  • Tasks triggered by “normal” events: new invoices, approvals, or ticket updates.
Pattern

Service accounts & integrations

  • SaaS integrations with broad access to mailboxes, storage, or calendars.
  • “Headless” accounts created for migration or automation that never expire.
  • API keys or secrets stored in wikis, ticketing systems, or CI/CD pipelines.
For defenders

Rethinking what “fully remediated” means

If your incident review ends with “passwords rotated, endpoints scanned, tickets closed,” you are probably leaving cloud-native persistence paths untouched. Remediation must now include identity, automation, and app-layer analysis.

Checklist

Post-incident cloud hygiene

  • Review OAuth apps and add-ins created or consented near the incident window.
  • Audit forwarding rules, transport rules, and automation flows for exfil patterns.
  • Inventory service accounts, shared mailboxes, and “migration” identities.
  • Ensure risky legacy protocols are disabled or tightly constrained.
Detection

Signals worth investing in

  • New app registrations and consent to high-privilege scopes.
  • Creation or modification of mailbox rules with external recipients.
  • Unusual automation behavior: spikes in flow runs or script execution.
  • Tokens or sessions active from impossible or unusual locations.
Governance

Design for fewer high-risk paths

  • Reduce the number of identities that can grant tenant-wide consent.
  • Apply strong review processes for new integrations and automations.
  • Standardize on vetted patterns for common workflows (invoicing, HR, approvals).
Where to start

If you can only do a few things this quarter

Many organizations don’t have the capacity to rebuild everything at once. The goal is not perfection—it’s eliminating the easiest, most reusable persistence paths.

1. Build an “agent inventory”

Create and maintain a list of all entities that can act as a user or system: human identities, service accounts, OAuth apps, automations, and privileged devices. Review who owns them, and what they can touch.

2. Lock down consent and automation

Tighten who can approve new apps and flows. For business-critical automations, document their purpose and owners, and ensure there’s a clear change and review process.

3. Add 3–5 high-value detections

Focus on OAuth, mailbox rule abuse, and unusual admin behavior in M365/Workspace first. Even a small set of solid signals dramatically improves your ability to spot cloud-native persistence.

4. Run a focused tabletop

Simulate an intrusion where no malware is found, but business email and SaaS are compromised. See how leadership and responders react when the usual “reimage the host” playbook doesn’t apply.

Want help mapping your cloud persistence paths?

Wolfe Defense Labs runs cloud & SaaS–focused assessments and simulations that expose where attackers could live off your M365, Workspace, and SaaS stack— and builds a practical plan to close those gaps.

Talk about your cloud exposure Explore cloud resilience solution