What Is Living Off Trusted Sites (LOTS)?

Living Off Trusted Sites (LOTS) is a cyberattack technique where threat actors abuse legitimate, well-known cloud services and platforms to conduct malicious activities while evading detection. The technique leverages the trust, reputation, and allowlisted status of widely-used services—GitHub, Google Drive, OneDrive, Discord, Gmail, and others—to host phishing pages, operate command-and-control servers, distribute malware, and exfiltrate data. Unlike Living Off the Land attacks which exploit native operating system tools, LOTS exploits cloud service infrastructure to hide in plain sight.

How does Living Off Trusted Sites work?

LOTS attacks operate through four primary abuse vectors that exploit the trusted nature of cloud services.

Phishing attacks using LOTS involve attackers creating credential-harvesting pages on trusted domains. Threat actors use Google Forms, GitHub gists, or Notion documents to impersonate legitimate services, collecting credentials on platforms that users and security filters inherently trust.

Command-and-control operations leverage cloud service APIs, web storage, or messaging platforms. Malware operators use Telegram APIs, Discord webhooks, or cloud storage services to maintain persistent command channels. According to Insikt Group research cited by Spamhaus, 25% of current malware families abuse legitimate cloud services, with two-thirds of those abusing multiple services.

Malware distribution through LOTS involves dropper sites hosted on Google Drive, OneDrive, or GitHub that distribute payloads disguised as legitimate files. Users download what appears to be a document or software update from a trusted platform, only to execute malware.

Data exfiltration using LOTS means stolen data is uploaded to cloud storage, pasted to paste sites, or sent via legitimate messaging services. Exfiltration through trusted services blends with normal organizational traffic, making detection significantly more difficult.

The technical evasion mechanisms are highly effective. Legitimate services have long whitelisting history; security filters rarely block them. Traffic blends with normal organizational use of services, making behavioral detection difficult. APIs and web interfaces bypass traditional network perimeter controls. Dwell time increases because attackers remain undetected longer when operating through trusted platforms.

According to Insikt Group research cited by Spamhaus, approximately 25% of phishing attempts use trusted domains. Spamhaus (2024) reports that Google Cloud is the most exploited cloud service, followed by Telegram, email services, and social media platforms.

How does LOTS differ from related techniques?

Living Off Trusted Sites differs fundamentally from Living Off the Land attacks. LOTL exploits native operating system tools such as PowerShell and Windows Management Instrumentation (WMI), while LOTS abuses external cloud services. According to the LOTS Project and CrowdStrike, both techniques evade detection but use different infrastructure—LOTL operates within the victim's environment using legitimate system utilities, while LOTS requires external cloud service communication.

Traditional phishing typically uses email or messaging platforms that security filters can analyze and block. LOTS phishing uses trusted domains that are whitelisted by most organizations, making filtering significantly more difficult without blocking legitimate business use of the same services.

The detection difficulty for LOTS is very high because organizations cannot simply block cloud services that employees use for legitimate work. According to Spamhaus and Ikarus Security, legacy security tools do not monitor cloud service API behavior for anomalies, creating a significant detection gap.

The skill required for LOTS attacks is moderate—attackers need to understand cloud APIs and service features but do not need the deep operating system knowledge required for LOTL attacks. This accessibility expands the pool of threat actors capable of conducting LOTS attacks.

Why does Living Off Trusted Sites matter?

LOTS represents a fundamental shift in attack methodology that security architectures struggle to address.

CrowdStrike (2024) reports that 79% of intrusions in 2024 were fileless or Living Off the Land, up from 62% in 2023. This trend demonstrates that attackers favor techniques that evade traditional security controls. Between 2021 and 2022, CrowdStrike observed malware-free detections increase from 62% to 71% in the CrowdStrike Security Cloud.

Insikt Group research indicates that approximately 25% of malware families abuse legitimate cloud services, with two-thirds of those abusing multiple services. This multi-service abuse increases attacker resilience—if one service detects and blocks malicious activity, attackers can shift to alternative platforms.

According to Spamhaus (2024), the trend of abusing legitimate sites has evolved from a niche phenomenon to common cybercriminal behavior. The widespread adoption of cloud services for business operations has created an attack surface that defenders cannot simply block without disrupting business operations.

The most exploited cloud service is Google Cloud, followed by Telegram, email services, and social media, according to Spamhaus (2024). Other commonly abused services include GitHub, Discord, OneDrive, Gmail SMTP, Notion, YouTube, and VirusTotal.

The core challenge is that most organizations whitelist cloud services, making traditional firewalls and filters ineffective. Zero Trust architectures are not widely deployed, and few organizations monitor legitimate service usage for anomalies. This creates a significant gap between the threat landscape and defensive capabilities.

What are the limitations of Living Off Trusted Sites?

LOTS attacks face several operational and detection challenges that limit their effectiveness.

Service detection signatures can identify malicious use of legitimate APIs. Behavioral analytics detect anomalous patterns such as mass data uploads, unusual geolocation changes, or API usage patterns that deviate from normal behavior. Rate limiting on service APIs constrains command-and-control bandwidth and exfiltration speed.

Service providers implement abuse detection mechanisms, and accounts are suspended once flagged. Attackers must maintain legitimate-looking activity to avoid triggering automated abuse detection systems. According to the LOTS Project and CrowdStrike, this requirement increases operational complexity and the risk of detection.

Defense gaps remain significant. Most organizations whitelist cloud services, making traditional firewalls and filters ineffective. Cloud service terms of service allow vast amounts of data transfer, obscuring exfiltration among legitimate activity. Zero Trust is not widely deployed, and few organizations monitor legitimate service usage for anomalies.

Alerts on cloud services are often tuned low due to false positive rates. Security teams cannot tolerate the alert volume generated by monitoring all cloud service activity, creating blind spots that attackers exploit. Many organizations lack visibility into all cloud service usage across their environment, particularly shadow IT usage where employees adopt cloud services without IT approval.

The fundamental tension is that the same features that make cloud services valuable for legitimate business use—accessibility, ease of use, large data transfer capabilities—also make them valuable for attackers. Defenders must distinguish malicious from legitimate activity on services designed to be widely accessible.

How can organizations defend against LOTS attacks?

Organizations should implement a multi-layered defense strategy that assumes cloud services will be used for both legitimate and malicious purposes.

Zero Trust Architecture applies "never trust, always verify" principles to cloud service usage. Organizations should require explicit authorization for each service rather than blanket allowing all cloud platforms. According to Cyber.gov.au and CrowdStrike, Zero Trust reduces the attack surface by limiting which services can be accessed and under what conditions.

Behavioral Analysis monitors cloud service APIs for anomalous patterns including unusual speed, volume, or geolocation changes. User and Entity Behavior Analytics (UEBA) detects unusual data exfiltration volumes or timing that deviate from established baselines. The LOTS Project recommends continuous monitoring of cloud service usage patterns.

Cloud Access Security Brokers (CASB) enforce Data Loss Prevention policies and monitor cloud service usage in real-time. CASBs provide visibility into cloud service usage across the organization and can block or quarantine suspicious activity. Fortinet emphasizes that CASB deployment is critical for organizations with significant cloud adoption.

API Monitoring logs and audits API calls to cloud services, alerting on unauthorized or suspicious usage. Organizations should track which services are being accessed, by whom, and for what purpose. Anomalous API usage patterns often precede or indicate compromise.

Email and URL Filtering should block URLs to known LOTS abuse domains. Organizations should maintain the LOTS Project list of abused services and implement filtering where business impact is acceptable. However, blocking must be balanced against legitimate business needs.

User Training educates employees on phishing via trusted domains and suspicious file downloads from cloud services. According to CrowdStrike and the LOTS Project, users must understand that files from Google Drive or OneDrive can be malicious, challenging the common assumption that trusted platforms only host trusted content.

Incident Response procedures should include immediate isolation of compromised credentials and auditing of cloud service audit logs for unauthorized access. Organizations should review what data was accessed or exfiltrated through cloud services following a compromise.

Service Restrictions involve disabling high-risk services such as GitHub, Pastebin, or Discord where possible, using approved alternatives for legitimate business needs. Cyber.gov.au recommends restricting services that have limited business justification and high abuse rates.

Cryptographic Verification requires signed or verified downloads and uses file integrity checks to detect tampering. Organizations should verify that files downloaded from cloud services match expected hashes and are signed by trusted publishers.

Network monitoring should track outbound connections to cloud services, looking for unusual data transfer volumes or connections to newly registered or suspicious cloud storage accounts. Fortinet recommends monitoring cloud service usage at the network level to identify potential exfiltration.