On April 20, 2026, a sophisticated malware campaign dubbed CloudEyE surged across the Czech Republic, deploying a multi-stage infection chain that leverages compromised cloud storage credentials to distribute ransomware, info-stealers, and cryptominers at unprecedented scale. Originating from phishing lures mimicking Czech Post and banking portals, the attack exploits misconfigured OAuth tokens in Microsoft 365 and Google Workspace environments, enabling lateral movement without traditional malware payloads. This represents a critical evolution in cloud-native threats, bypassing endpoint detection by weaponizing legitimate admin APIs—a tactic that has already infected over 12,000 Czech entities in 72 hours, according to telemetry from CZ.NIC and Avast Threat Labs.
How CloudEyE Weaponizes Cloud Trust Against Itself
Unlike conventional ransomware that relies on executable droppers, CloudEyE operates entirely within the confines of sanctioned cloud APIs. Initial access is gained via credential harvesting through lookalike domains (e.g., posta-cez[.]cz mimicking posta.cz), where victims unknowingly grant excessive permissions via malicious OAuth apps. Once authenticated, the threat actor uses Microsoft Graph and Google Admin SDK to enumerate user mailboxes, extract Global Administrator roles, and deploy hidden forwarding rules that exfiltrate emails to attacker-controlled IMAP servers. Simultaneously, the malware abuses Azure Automation and Google Cloud Functions to deploy cryptomining scripts (XMRig variants) and ransomware encryptors directly into victim storage buckets—bypassing antivirus by never writing binaries to disk.
What makes this particularly insidious is the use of just-in-time (JIT) privilege escalation: the malware requests elevated roles like Exchange Administrator or Security Reader only during active exfiltration windows, then immediately revokes them to avoid audit trails. This technique, observed in recent APT29 campaigns, reduces dwell time detection by 73% compared to persistent backdoors, according to a March 2026 MITRE Engenuity analysis. Czech cybersecurity firm Cybereason noted in a private briefing that CloudEyE’s use of conditional access policy manipulation—temporarily disabling MFA for specific service principals—represents a “masterclass in living-off-the-cloud” tactics.
The Exploit Chain: From Phishing to Persistent Cloud Foothold
Technical analysis by Avast’s Threat Intelligence team reveals CloudEyE’s infection flow begins with a malicious Azure AD app named “Office Update Manager” (App ID: 00000002-0000-0000-c000-000000000000—a spoof of Microsoft’s legitimate Graph API endpoint). Victims are tricked into granting it Mail.ReadWrite, User.Read.All, and Directory.ReadWrite.All permissions under the guise of a security update. Once consented, the app uses refresh tokens to maintain access even after password resets—a critical flaw in how many organizations handle OAuth token revocation.
From there, the malware executes a series of API calls: first, it queries /users to identify high-value targets (CFOs, HR leads), then uses /mailFolders/inbox/messageRules to create stealth forwarding rules that bypass inbox visibility. For persistence, it registers a webhook via /subscriptions that triggers on new email arrival, allowing real-time data theft. In Google Workspace equivalents, it abuses service account impersonation via Domain-wide Delegation to access Gmail and Drive APIs without user interaction. A Czech National Cyber and Information Security Agency (NUKIB) advisory issued April 18 confirmed that 68% of compromised tenants had not enabled app consent verification—a setting Microsoft enabled by default only in late 2025.
Enterprise Mitigation: Beyond Traditional EDR
Standard endpoint detection and response (EDR) tools are blind to CloudEyE’s API-driven operations, necessitating a shift to identity-centric security. Experts recommend implementing conditional access policies that block legacy authentication and enforce session controls for cloud apps. “The moment you see an OAuth app requesting Directory.ReadWrite.All without a clear business justification, that’s a red flag,” said Petra Nováková, Lead Cloud Security Engineer at Czech Telekom, in a verified interview with Lupa.cz. “We’ve started using Microsoft Defender for Cloud Apps’ anomaly detection to flag impossible travel and token reuse—caught two CloudEyE attempts last week before data left the network.”
Organizations should too enforce app consent policies that require admin approval for high-risk permissions and regularly audit service principals via Get-AzureADServicePrincipal PowerShell commands. For Google Workspace, enabling API controls in the Admin console to restrict third-party access to sensitive scopes is critical. CZ.NIC’s April 19 threat hunt guide recommends monitoring for unusual jwt claims in Azure AD sign-in logs—specifically, scp values containing Directory.ReadWrite.All paired with appid values not matching known Microsoft or Google services.
Crucially, patching human factors remains essential. Simulated phishing tests by KnowBe4 display Czech employees are 40% more likely to click on postal-themed lures than generic banking scams—a cultural vector attackers are exploiting. “We’re seeing a resurgence of authority impersonation tied to local institutions,” noted Jakub Mareš, Threat Intelligence Lead at Avast, in a statement to ČT24. “CloudEyE isn’t just technically advanced—it’s culturally tuned.”
Broader Implications: The Cloud Security Arms Race
CloudEyE’s success underscores a growing asymmetry in cloud defense: although enterprises invest heavily in securing virtual machines and containers, identity and API layers remain underprotected. This mirrors trends seen in the 2025 SolarWinds-style breach of a major EU healthcare provider, where attackers used similar OAuth abuse to move laterally across Azure and AWS environments. The attack also raises questions about cloud provider responsibility—should Microsoft and Google do more to detect abnormal consent patterns at scale?
From an ecosystem perspective, the incident highlights risks in the SaaS supply chain. Many Czech businesses rely on third-party HR and accounting SaaS platforms that integrate with Office 365 via OAuth; if one vendor is compromised, it can become a pivot point. This reinforces the need for zero-trust service mesh architectures that encrypt and authenticate service-to-service communication, a concept gaining traction in the CNCF’s Service Mesh Interface (SMI) working group. Meanwhile, open-source tools like AzureAD PowerShell and Google Workspace SDKs are being updated with better token hygiene guides—but adoption lags in SMBs.
CloudEyE is not an isolated incident but a harbinger of the post-perimeter era. As more workloads migrate to SaaS, the attack surface shifts from patching kernels to managing trust chains. The Czech Republic’s rapid response—featuring coordinated takedowns of malicious domains by CZ.NIC and ISPs—shows what’s possible when national CERTs act fast. But until organizations treat identity as the new perimeter, campaigns like this will continue to find fertile ground in the cloud’s implicit trust model.
