TL;DR
- Cloudflare's 2026 Threat Report — drawn from a network blocking 234 billion threats per day — confirms attackers have stopped trying to break through your defences and started hiding inside the tools you already trust [1].
- Stolen session tokens now bypass MFA completely; 54% of ransomware attacks in 2025 started this way [2].
- Business email compromise (BEC) attacks targeted $49,000 per request — the sweet spot where automated fraud controls often miss it — generating $123 million in theft attempts in 2025 alone [3].
- Your firewall can't tell the difference between a legitimate Google Calendar event and a hacker's command-and-control signal, because attackers are using both [1].
- Three actions — DMARC enforcement, session policy tightening, and SaaS permission audits — close the biggest gaps without requiring enterprise budgets.
What the Cloudflare 2026 Threat Report Actually Found (and Why It Matters for Your Business)
Cloudflare's network handles roughly 20% of global internet traffic. When their threat research unit, Cloudforce One, publishes a report, it's not a theoretical exercise — it's pattern recognition across 234 billion daily threat events [1].
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
The h
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →This shift has a name inside Cloudflare's research: Living off the XaaS (LotX). In practice, it means threat actors are routing attacks through AWS, Google Cloud, Azure, Microsoft Teams, Google Calendar, Dropbox, and GitHub — platforms every modern business depends on daily [1].
Why Are Hackers Hiding Inside Google Drive?
The reason is straightforward economics. Malicious servers get flagged and blocked. Legitimate cloud platforms don't.
When a hacker sends commands through a custom server, your email gateway or firewall can flag it as suspicious. When those same commands are buried inside a Google Calendar event description or a shared Dropbox document, the traffic looks identical to what your team generates all day [1][4].
Cloudforce One documented Chinese state-linked groups using Google Calendar event descriptions to pass encrypted commands to infected hosts [1]. This isn't about nation-state resources being out of reach for ordinary criminals — it's a playbook that's actively spreading. Once nation-state actors prove a technique works, criminal groups adopt it within 12-18 months [5].
For SMBs, this means the question is no longer just "do we have a firewall?" but "do we know which third-party tools have access to our data, and could any of them be used against us?"
The Session Token Problem: Why Your MFA Might Not Be Enough
Here's the specific mechanism behind one of 2026's biggest threats — and it's worth understanding clearly.
Traditional attacks try to steal your password. MFA stops most of those cold. But modern infostealers like LummaC2 don't steal passwords — they steal active session tokens from infected machines [2].
A session token is the credential your browser stores after you've already logged in and passed MFA. It proves to a web service that you're authenticated. Steal the token, and you skip the login entirely — including the MFA step [2].
According to the Verizon 2025 Data Breach Investigations Report, 54% of ransomware attacks in 2025 traced back to infostealer-enabled credential theft [2]. Cloudforce One is already tracking successor LummaC2 variants designed to compress the time between token theft and ransomware deployment down to hours [2].
For businesses with remote teams or BYOD policies, this is particularly relevant. An employee's personal laptop, briefly infected, can hand attackers a valid session token for your business's cloud accounts.
Business Email Compromise Is Getting Smarter About Avoiding Your Fraud Controls
Business email compromise isn't new. What's new is how precisely attackers have calibrated it to slip past automated scrutiny.
Cloudforce One analysts identified more than $123 million in BEC financial theft attempts in 2025. Attackers consistently targeted requests around the $49,000 mark — large enough to generate meaningful profit, but deliberately sized to stay below the thresholds that trigger additional bank approval processes or internal sign-off requirements [3].
This isn't guesswork. Criminal operations now study business fraud controls the same way legitimate salespeople study buyer psychology. They know your approval thresholds, they know which requests get rubber-stamped, and they price their attacks accordingly [3].
Nearly half of the 450 million emails Cloudflare analysed failed DMARC validation [1][3]. That gap is what allows attackers to send emails that appear to come from your suppliers, your bank, or your CEO.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →The Scale of What's Happening — In Numbers
These figures from the 2026 Cloudflare Threat Report illustrate how routine and automated the attack economy has become [1][4]:
- 234 billion threats blocked per day across Cloudflare's network
- 47.1 million DDoS attacks recorded in 2025 — more than double the previous year
- 31.4 Tbps — a record-breaking DDoS attack size, with attacks hitting peak volume within seconds
- 94% of all login attempts observed on Cloudflare's network are automated bots
- 46% of human login attempts use credentials already compromised in prior breaches
- 43% of analysed emails failed SPF checks; 44% lacked valid DKIM signatures
That 46% figure deserves a second read. Nearly half the time a human attempts to log in to a service, they're using a password that's already in a criminal database somewhere. This isn't a hypothetical risk — it's the default state for most businesses that haven't actively audited and refreshed their credential hygiene [2].
Related: 67% of Breaches Start With a Stolen Login — Not a Hacked System
How Attackers Choose Their Targets: The MOE Framework
Cloudforce One introduced a useful lens for understanding attacker decision-making: the Measure of Effectiveness (MOE). It's essentially a return-on-effort calculation [1].
Sophisticated zero-day attacks are expensive to develop and use. Stolen session tokens, by contrast, have a high MOE — low cost, high reliability, hard to detect. Phishing-as-a-service platforms that bypass MFA by harvesting live tokens have high MOE. Exploiting misconfigured SaaS-to-SaaS API integrations has high MOE [1].
This has a practical implication for how SMBs should prioritise their security spending. Attackers aren't targeting you because you're specifically valuable — they're targeting the paths of least resistance across thousands of businesses simultaneously. Closing your highest-MOE gaps (email authentication, session management, SaaS permissions) makes you statistically less attractive compared to whoever hasn't bothered [1][6].
What Your Business Can Do: Three Practical Actions
Security built around identity and access — not just perimeter defence — is the practical takeaway from the 2026 Cloudflare Threat Report [3]. Here are three concrete starting points:
1. Enforce DMARC on Your Domain (This Week)
Nearly half of all emails fail DMARC. Configuring DMARC, SPF, and DKIM on your domain doesn't just protect your customers from being phished by emails that appear to come from you — it also strengthens your own inbound filtering [1][7].
Start with DMARC in monitoring mode (p=none) to see what's failing, then tighten to p=quarantine and eventually p=reject. Free tools like DMARC Analyser or MXToolbox make the diagnostic step straightforward.
2. Audit Your SaaS-to-SaaS Integrations
Every connected app that has access to your Google Workspace, Microsoft 365, or Salesforce is a potential entry point. The GRUB1 attack documented in the Cloudflare report exploited a single compromised SaaS-to-SaaS integration to breach multiple corporate environments [1].
Go to your identity provider (Google, Microsoft) and review every third-party app with OAuth access. Revoke anything you don't recognise or no longer use. This takes an afternoon and costs nothing.
3. Implement Session Lifetime Limits and Device Trust Policies
Session tokens that never expire are the gift that keeps giving to attackers. Most cloud platforms let you set maximum session lifetimes and require re-authentication after a period of inactivity.
For higher-risk systems (financial software, HR platforms, email), consider requiring phishing-resistant MFA methods like FIDO2/passkeys — these generate tokens tied to the specific device and domain, making stolen tokens useless [8].
Related: Stop Patching Everything: The 1% Rule That Keeps SMBs Secure Without Burning Out
The Business Case for Acting Now
According to IBM's 2025 Cost of a Data Breach Report, the average breach costs $4.88 million globally — though for SMBs, even a fraction of that can be terminal [9]. The Cloudflare data suggests that most of the risk concentrates in a few well-understood categories: credential theft, email compromise, and misconfigured cloud access.
None of the three actions above requires enterprise-grade tooling or a dedicated security team. They're operational decisions — tightening what you already have, auditing what you've accumulated, and applying sensible limits on how long access tokens stay valid.
The attacks described in the 2026 Cloudflare Threat Report are industrialised, automated, and optimised for the path of least resistance. The best business decision is to make sure that path doesn't run through you.
FAQ
Living off the XaaS (LotX) is a tactic where attackers use legitimate cloud services — like Google Drive, Dropbox, Microsoft Teams, or AWS — as infrastructure for their attacks. Because these services generate normal-looking traffic, traditional security tools often can't distinguish malicious activity from legitimate use. For small businesses, it means the attack surface now includes every SaaS tool you've authorised, not just your own servers.
Yes. MFA protects the login process. But once you're logged in, your browser stores a session token that proves you're authenticated. Infostealers like LummaC2 steal that token from your device — bypassing the MFA step entirely because you've already passed it. The attacker then uses your active session from their own device. According to the Verizon 2025 DBIR, 54% of ransomware attacks in 2025 began this way.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving mail servers what to do when an email claims to be from your domain but fails authentication checks. Without it, anyone can send emails that appear to come from your business. The 2026 Cloudflare Threat Report found 46% of emails failed DMARC validation — a gap that phishing-as-a-service operations systematically exploit. Every business that sends email should have DMARC configured.
For Google Workspace: go to myaccount.google.com → Security → Third-party apps with account access. For Microsoft 365: go to myapps.microsoft.com or the Azure AD admin centre → Enterprise Applications. Review anything with broad permission scopes (read all mail, read all files) and revoke access for apps you don't recognise or no longer use.
The 2026 Cloudflare Threat Report makes clear that modern attacks are automated and optimised for scale — they're not manually selecting targets. Bots account for 94% of all login attempts. Phishing-as-a-service platforms are sold as subscriptions. Your business is as much a target as any larger one, because the same automation hits everyone. The question is whether your basic hygiene is weaker than average.
References
[1] Cloudforce One, "Introducing the 2026 Cloudflare Threat Report," Cloudflare Blog, March 3, 2026. [Online]. Available: https://blog.cloudflare.com/2026-threat-report/
[2] A. Pogorelec, "Cloudflare tracked 230 billion daily threats and here is what it found," Help Net Security, March 3, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/03/cloudflare-cyber-threat-report-2026/
[3] D. Vanian, "Cloudflare warns AI and SaaS integrations are fueling industrial-scale cybercrime," SiliconANGLE, March 3, 2026. [Online]. Available: https://siliconangle.com/2026/03/03/cloudflare-warns-ai-saas-integrations-fueling-industrial-scale-cybercrime/
[4] "Cloudflare report: stolen session tokens, cloud abuse and record DDoS surge," Prism News, March 4, 2026. [Online]. Available: https://www.prismnews.com/news/cloudflare-report-stolen-session-tokens-cloud-abuse-and-record-ddos-surge
[5] Cloudflare, "2025 Q4 DDoS Threat Report: A record-setting 31.4 Tbps attack caps a year of massive DDoS assaults," Cloudflare Blog, 2026. [Online]. Available: https://blog.cloudflare.com/ddos-threat-report-2025-q4/
[6] Verizon, "2025 Data Breach Investigations Report," Verizon, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
[7] CISA, "Email Authentication Best Practices," CISA, 2025. [Online]. Available: https://www.cisa.gov/resources-tools/resources/email-security-best-practices
[8] FIDO Alliance, "FIDO2: WebAuthn & CTAP," FIDO Alliance, 2025. [Online]. Available: https://fidoalliance.org/fido2/
[9] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[10] Cloudflare, "2026 Cloudflare Threat Report," Cloudflare, 2026. [Online]. Available: https://www.cloudflare.com/lp/threat-report-2026/
Ready to audit your SaaS integrations and close the gaps before they're exploited? Book a no-obligation security review with lilMONSTER — we'll map your exposure and give you a clear action plan. No jargon, no scare tactics, just results.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- Cloudflare — the company that handles 1 in 5 websites on the internet — just published their 2026 threat report, and it's a big deal [1].
- Hackers are no longer trying to break down your digital front door. They're sneaking in through the apps you trust — like Google Drive, Dropbox, and Microsoft Teams.
- There's also a new trick called "session token theft" that lets attackers skip your password AND your two-factor code entirely.
- Three simple actions: check your email settings, audit which apps can see your data, and set time limits on logins.
Imagine Your House Has a Pet Door
You lock all your windows and doors. Smart. But you also have a pet door in the back — small, convenient, always open — so your dog can come and go. Now imagine a burglar figures out that if they dress up like a dog (or squeeze something through the pet door), they can get in without ever touching your locked front door.
That's basically what's happening to businesses right now. Cloudflare — the company whose network handles roughly 1 in 5 websites on the entire internet — just published their 2026 Threat Report, and it's not about hackers breaking your locks [1]. It's about hackers using the pet doors you forgot you had.
The "Pet Doors" in Your Business: Google Drive, Dropbox, Teams
Every business today uses a bunch of cloud tools — Google Drive, Dropbox, Microsoft Teams, maybe some project management apps, your accounting software. They're all connected. They talk to each other. That's the whole point.
But here's the thing: attackers have figured out that these tools are trusted. Your email security doesn't flag a link from Google Drive the same way it flags a link from a random website. Your firewall doesn't block a message hidden inside a Google Calendar event — because Google Calendar is allowed [1].
So attackers are hiding inside these tools. Cloudflare's researchers found actual cases of hackers using Google Calendar event descriptions to send secret commands to computers they'd infected — essentially using your company's calendar software as a walkie-talkie for their operation [1][2].
This sounds wild. It is. But it's happening right now.
Your Two-Factor Code Can Be Beaten — Here's How
You've probably heard that turning on two-factor authentication (2FA) — where you get a text code when you log in — makes you way more secure. That's still true, but there's a new problem [2].
Here's how regular login protection works: you enter your password + your text code → you're in → the website saves a small file on your browser called a "session token" that says "yes, this person is allowed in."
Modern hackers don't bother stealing your password. They steal the session token after you've already logged in. It's like stealing your hotel room keycard from your bedside table instead of trying to pick the lock. Once they have the token, they walk right in — no password, no 2FA code needed [2].
According to a major industry report cited by Cloudflare, 54% of ransomware attacks in 2025 started this way [2]. That's more than half.
The $49,000 Email Scam
Here's another number worth knowing. Cloudflare found that business email fraud — where attackers send fake invoices or trick employees into transferring money — racked up $123 million in theft attempts in 2025 [3].
The sneaky part? Attackers deliberately target requests around $49,000 [3]. Why? Because many businesses have automated approval limits below $50,000, and manual review processes kick in above that. So criminals have learned to stay just under the radar.
If your business processes invoices or wire transfers, this is relevant to you — especially because nearly half of all emails fail basic security checks that would reveal they're fake [1].
What You Can Do (Three Things, No Tech Degree Required)
1. Set Up DMARC on Your Email Domain
DMARC is a setting that tells other email servers: "If an email claims to be from my company but doesn't pass our security checks, reject it." Right now, 46% of emails on the internet fail this check — meaning a lot of fake emails are getting through [1][7].
Ask your IT person or your web host how to set up DMARC, SPF, and DKIM. Most major email providers have step-by-step guides. This makes it much harder for scammers to send emails that appear to be from your business.
2. Check Which Apps Can Access Your Google or Microsoft Account
Every time you clicked "Sign in with Google" or gave an app permission to connect to your email or files, you created a potential pet door. Most businesses have dozens of these they've forgotten about.
Go to your Google account settings or Microsoft account settings and look for "third-party apps with account access." Revoke anything you don't recognise or don't use anymore. This takes an hour and costs nothing [1].
3. Set Your Accounts to Log Out Automatically
Session tokens (the keycard we talked about) are most dangerous when they never expire. If you stay logged into your banking software or email account indefinitely, a stolen token is good forever.
Most cloud tools let you set automatic logout after a period of inactivity. Turn this on for anything sensitive — email, financial software, HR systems. It's a tiny inconvenience that cuts off one of the biggest attack paths [2][8].
Why This Matters More Than It Used To
Cloudflare's network blocked 234 billion threats every single day in 2025 [1]. To put that in perspective — that's more threats per day than there are stars visible in the night sky from Earth.
The attacks aren't getting smarter so much as faster and more automated. Robots are testing your accounts, probing your email settings, and scanning for misconfigured apps — all without a human attacker sitting at a keyboard. You don't have to be specifically targeted to get hit.
The good news is that most of the attacks exploit the same handful of weaknesses. Fix those weaknesses, and you're ahead of the vast majority of businesses.
FAQ
Because Google Drive is trusted. Security tools are trained to flag traffic from suspicious sources — but traffic from Google looks normal. By hiding attack commands inside legitimate services, hackers blend in with the millions of real users of those same services every day.
2FA is still valuable and you should keep it. But session token theft bypasses it by stealing the proof of login after you've already authenticated. The extra protection comes from setting shorter session lifetimes and using the newest generation of login keys (called passkeys or FIDO2) that are tied to your specific device.
You might not notice immediately. Signs include unexpected logins from unusual locations (check your account's login history), getting locked out of accounts you didn't change, or unusual activity in connected apps. Many cloud providers have security dashboards that show recent login locations.
Yes — but not because you're specifically interesting. Automated attack tools hit thousands of businesses simultaneously, the same way spam email doesn't pick individual recipients. Your size doesn't protect you; your security hygiene does. Closing the common gaps (email authentication, app permissions, session limits) makes you statistically less attractive to automated attack systems.
The three actions listed above — DMARC setup, app audit, and session timeouts — are free. They're configuration changes to tools you already have. The cost is time, not money. If you want help mapping your full exposure and getting a prioritised action plan, that's exactly what a security review from lilMONSTER covers.
References
[1] Cloudforce One, "Introducing the 2026 Cloudflare Threat Report," Cloudflare Blog, March 3, 2026. [Online]. Available: https://blog.cloudflare.com/2026-threat-report/
[2] A. Pogorelec, "Cloudflare tracked 230 billion daily threats and here is what it found," Help Net Security, March 3, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/03/cloudflare-cyber-threat-report-2026/
[3] D. Vanian, "Cloudflare warns AI and SaaS integrations are fueling industrial-scale cybercrime," SiliconANGLE, March 3, 2026. [Online]. Available: https://siliconangle.com/2026/03/03/cloudflare-warns-ai-saas-integrations-fueling-industrial-scale-cybercrime/
[4] "Cloudflare report: stolen session tokens, cloud abuse and record DDoS surge," Prism News, March 4, 2026. [Online]. Available: https://www.prismnews.com/news/cloudflare-report-stolen-session-tokens-cloud-abuse-and-record-ddos-surge
[5] Cloudflare, "2025 Q4 DDoS Threat Report," Cloudflare Blog, 2026. [Online]. Available: https://blog.cloudflare.com/ddos-threat-report-2025-q4/
[6] Verizon, "2025 Data Breach Investigations Report," Verizon, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
[7] CISA, "Email Authentication Best Practices," CISA, 2025. [Online]. Available: https://www.cisa.gov/resources-tools/resources/email-security-best-practices
[8] FIDO Alliance, "FIDO2: WebAuthn & CTAP," FIDO Alliance, 2025. [Online]. Available: https://fidoalliance.org/fido2/
Want to know which pet doors are open in your business right now? Book a security review with lilMONSTER — we find them, we close them, and we explain everything in plain English. No jargon, no drama, just a safer business.
