What is LOTS?
Living Off Trusted Sites extends the “Living Off the Land” (LOTL) concept to external infrastructure. Rather than registering suspicious domains that trigger security alerts, attackers host malicious content on platforms like GitHub, Google Drive, Cloudflare, AWS, Microsoft Azure, Dropbox, Notion, and increasingly AI-powered development platforms like Lovable, Replit, and Vercel. These services have established domain reputation, valid SSL certificates, and are whitelisted by corporate firewalls and email gateways. A phishing page hosted at a random-string.lovable.app or github.io subdomain inherits the parent domain’s trust score.
Business Impact
LOTS attacks fundamentally undermine domain reputation as a security signal. Allure Security’s research found that only 7% of domains used in phishing attacks against financial institutions are less than 30 days old, with 41% being over five years old—indicating widespread use of established infrastructure. Organizations relying primarily on domain age, reputation scoring, or blocklists miss the majority of modern threats. The proliferation of LOTS attacks forces defenders to shift from infrastructure-based detection to content-based analysis.
Allure Security's Approach
Allure Security’s detection architecture prioritizes content-based analysis precisely because LOTS attacks render infrastructure signals unreliable. Computer vision and natural language processing identify brand impersonation by examining visual elements, form behavior, and credential harvesting patterns—regardless of hosting platform. When phishing pages appear on Cloudflare, GitHub, or AI development platforms, Allure detects them through what the page contains, not where it lives.