Threat Actors Are Recruiting the People Who Hold Cloud Logins
Help Net Security, Thursday, June 11th, 2026
Attackers target cloud employees via credential theft, MFA-bypassing phishing kits, and direct bribery.
Drawing on Intel 471 research, the article describes how threat actors exploit cloud infrastructure by targeting employees who hold access credentials.
It categorizes insider threats as negligent, manipulated, and malicious, and explains how criminals harvest logins with infostealers like Vidar and Stealc_v2, then resell them to initial access brokers.
Advanced phishing toolkits defeat MFA by capturing credentials and session tokens in real time, and actors openly recruit insiders on forums, offering payment for access or data.
Recommended defenses include strict permission reviews, phishing-resistant authentication, immediate access removal at offboarding, and employee training on social engineering.