Creativa - Fotolia


How to detect and prevent a man-in-the-cloud attack

A man-in-the-cloud attack is a newer threat to enterprise security and it's not always easy to detect. Expert Frank Siemons explains how the attacks work and what can be done.

Over the years, an increasing amount of information has been transferred to and stored within the many cloud platforms....

Services such as Dropbox, Microsoft OneDrive and Google Drive have made this process easy. With a few clicks of a mouse, a low or no cost synchronization service between a local folder and a cloud-based copy of that folder can be set up by anyone. The benefits of these services -- such as automated off-site data backups, file sharing, collaboration and system-independent access to the cloud data from anywhere at any time -- have not gone unnoticed by malicious entities. Some inventive attackers have come up with a technique that has been labeled the "man-in-the-cloud" attack or MitC. The attack leverages the "access data from anywhere at any time" characteristic of cloud storage.

How a man-in-the-cloud attack works

There are many interesting technical whitepapers on the details of this attack. Leaving some of the in-depth, technical details out, the process is quite simple. The application synchronizing with the cloud service uses a synchronization token to gain access to the correct account and data. An attacker places malware on the target system, called a switcher, often through a social engineering attack combined with a malicious email attachment. Once the malware is launched, it moves the victims' synchronization token to the actual data sync folder. It then replaces that original token for one crafted by the attacker. The new token points to an account the attacker has access to. When the targeted application synchronizes with the data sync folder the next time, the target's original synchronization token is copied to the attacker's cloud location from where it can be downloaded and subsequently used by the attacker. This gives the attacker access to the target's cloud data from any machine. It also provides the attacker the ability to synchronize malicious files -- like malware-infected Word documents for instance -- back to the target's local data sync folder and replaces commonly used files the victim trusts. The switcher malware can copy the original synchronization token back and remove itself at any time, effectively erasing most evidence of the attack.

There are many other varieties of this man-in-the-cloud attack method -- some specifically customized for the targeted cloud platform and some with additional features such as the installation of a backdoor. However, the principle is the same and the importance of the synchronized data makes this is a very dangerous attack method.


It is difficult to detect a man-in-the-cloud attack. There is a login process against the cloud service using a different synchronization token (user). Without any further context around this event, the intrusion detection system or proxy logs will, at most, show that a seemingly legitimate cloud sync occurred. By itself that does not warrant an alarm. A watchful user could analyze the login geolocation history via the cloud's different platforms portal, but that is not the most reliable detection method.

There is a much better chance of detecting the social engineering attack with an email security gateway, or the subsequent switcher malware files located on the target host. Traditional or behavioral antivirus products should be able to deal with most of these infections. The benefit of relying on these technologies is that the attack is detected early in the process and at that point, it could still be blocked manually or automatically.


Once a man-in-the-cloud attack has been detected, the impact has been assessed and the evidence has been gathered, it needs to be mitigated. As mentioned earlier, a skilled attacker would have undone all system changes and removed all related malware files already. This is not always the case, however.

Some attackers do not worry about leaving evidence. Sometimes either the attack or the subsequent clean-up process fails. In any case, the remaining malware related files will need to be removed. It is also a good idea to close the cloud account and replace it with a new one. This will guarantee the synchronization token will never be used again. Different providers might have methods of forcing a ticket to expire, but a successful outcome would be hard to prove.


The most successful way to prevent the social engineering attack that is likely to precede the MitC attack is a through combination of comprehensive security awareness training and adequate technical controls. For example, if a staff member has just completed the yearly security awareness training, she is less likely to open the malicious email attachment that will prevent the attacker from gaining a foothold within the organization's network. If the user does open that attachment, a traditional or next-generation antivirus product should detect and block the malware without the need for user interaction.

One technology that targets man-in-the-cloud attack characteristics is a cloud access security broker (CASB). A CASB is either deployed inline where it can function as a proxy or via an API where it can monitor traffic to and from a cloud platform. Both options have their advantages, but the main function of the product is to monitor cloud traffic for account anomalies which are for instance generated by an MitC attack.

Enterprises should be aware of the threat of a man-in-the-cloud attack and review their cloud applications and infrastructure to see how such an attack could compromise their environment and lead to a data breach. They should also closely monitor employee cloud activity to identify signs of a cloud synchronization token being abused by an attacker.

Next Steps

Learn how to securely use file sync and share

Read more about the increasing threat of high-profile cloud malware

Find out how cloud synchronization can facilitate the spread of malware

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus