How to Protect Your Business from Living Off the Land Attacks

Cyber attacks are typically associated with data theft and extortion, but another threat can cause just as much damage. As geopolitical tensions rise across the globe, state-sponsored adversaries are preferring to hide in systems, going unnoticed for months or years after the initial compromise.

To perform these so-called living off the land (LotL) attacks, attackers are weaponizing legitimate software and infrastructure to lie in wait. This trend is seeing tactics shift away from data breaches to more sophisticated espionage and disruptive operations, according to a 2026 report from Cloudflare.

Living off the land attacks: long-term campaigns

Cyber attacks usually take advantage of security weaknesses. However, living off the land attacks are different: they are growing in response to organizations strengthening their overall cybersecurity posture. "Organizations have made significant progress in their ability to detect threats and patch systems more effectively," Tony Fergusson, CISO in residence at Zscaler, told ITPro. "Consequently, adversaries are being forced to be more stealthy to exploit data, and they're doing this by leveraging legitimate tools and processes."

With living off the land attacks, attackers deliberately avoid drawing attention to themselves by using existing and trusted tools and websites, rather than exploiting a zero-day flaw or introducing malware. "They stay under the radar, blending in seamlessly with legitimate user activity, and mimic everyday operations so their presence goes unnoticed," says Fergusson.

Cloudflare's 2026 threat report describes a shift away from brute force entry towards high-trust exploitation, with adversaries actively targeting legitimate SaaS, IaaS, and PaaS tools such as Google Calendar, Dropbox, and GitHub to camouflage malicious actions within normal enterprise activity.

This isn't surprising, says Razvan Ionescu, head of offensive security services at Pentest-Tools.com. He describes how his team "consistently finds that organizations have invested heavily in signature-based detection and perimeter controls" — yet monitoring of legitimate administrative tooling, endpoint management platforms, cloud management consoles, and scripting environments "remains thin."

State-sponsored and highly targeted

Living off the land attacks suit a certain type of adversary. The technique is especially attractive to "state-sponsored and highly-targeted threat actors", according to Dana Simberkoff, chief risk privacy and information security officer at AvePoint.

Rather than seeking immediate financial gain, attackers are aiming for espionage, strategic positioning, and in some cases, preparation for future disruption. "Living off the land tactics allow these adversaries to maintain access over long periods without drawing attention," Simberkoff explains.

These attacks allow nation states to collect strategic intelligence across diplomatic, military, economic, or technological targets, says Tracey Hannan-Jones, consulting director for information security at UBDS Digital. "By using pre-positioning, attackers gain access to critical systems, so disruption can be triggered during geopolitical tensions." Supply chain attacks, where adversaries compromise vendors to reach downstream targets, are "easy leverage," she warns.

Cloudflare's report tracked four primary nation state adversaries over the past year: Russia, China, North Korea, and Iran — each approaching LotL attacks differently based on operational goals. China, for example, appears to have shifted from bulk data theft towards targeting legitimate cloud infrastructure for longer-term pre-positioning, with some groups using Google Calendar for command-and-control communication.

"The goal is to create a resilient architecture that remains nearly invisible to standard perimeter defences," says Ionescu. "Rather than trying to exfiltrate data today, these attackers are establishing persistent footholds now to use during a future geopolitical event."

Businesses most at risk

Organizations with complex digital environments are particularly exposed. "Cloud-first enterprises, regulated industries, critical infrastructure providers and companies embedded in large supply chains are at risk," says Simberkoff. "The more identities, integrations and third party connections an organization has, the more opportunity attackers have to hide."

Government and defence are prime targets. "State actors look at pursuing intelligence and influence, accessing and stealing sensitive data, policy insight and information of geopolitical value, so they can use it against them," says Hannan-Jones.

AI is making attacks more refined

Rapidly developing technology such as AI is adding to the risk. "Instead of fully autonomous attacks, we're seeing AI used to support reconnaissance, targeting and decision making," says Simberkoff. "This helps attackers understand environments faster and choose techniques that look the most legitimate." The result is activity that increasingly resembles normal administrative behaviour, making detection much more difficult.

Attackers can use AI to rapidly analyse public information — organisation charts, job postings, technical blogs, vendor documentation, and leaked credentials — and infer likely tech stacks and access paths. "This improves the precision of initial access attempts and reduces the need for noisy trial-and-error," says Hannan-Jones.

How to protect your business

Rather than trying to prevent compromise entirely, Simberkoff recommends focusing on "detecting misuse and limiting impact" — advocating strong identity governance, least privilege access, and detailed logging of administrative activity.

Ionescu underscores the importance of understanding your own blast radius. "Before asking what you'd detect, ask what an attacker with compromised admin credentials to your endpoint management platform, your identity provider or your cloud management console could do. Most organizations haven't mapped that explicitly."

The second priority is closing the gap between what your monitoring covers and where attackers actually operate. "Effective reconnaissance from an attacker's perspective focuses on maintaining OPSEC and blending into normal traffic patterns. Your detection logic needs to match that: anomaly detection on administrative actions, not just signature matching on known bad payloads," says Ionescu.

Robust incident response is also key. Protecting your firm from living off the land attacks requires building operational playbooks for "quiet compromise", says Hannan-Jones. "Many organizations will have playbooks for ransomware, but very few are prepared for stealthy pre-positioning. Define what 'suspicious admin activity' looks like in your environment and create response runbooks for identity compromise, token theft and privileged account misuse."