
Cloud file-sharing services like Google Drive, Dropbox, OneDrive, and SharePoint are trusted tools used daily by businesses and individuals. Attackers exploit this trust by misusing these file hosting platforms to deliver malware and steal credentials. In a typical cloud phishing scheme, a malicious actor shares a file (e.g. a PDF or document) via Google Drive/Dropbox/OneDrive that looks legitimate. Because the sharing notification comes from a well-known service, recipients often click it without suspecting danger. The message might claim, for example, that “John Doe shared a document with you”, and prompt the user to sign in or download a file. This lures the victim into a fake login or installs malware, enabling attackers to bypass email security filters.
Phishing emails often use familiar logos and notifications from Google Drive, Dropbox or OneDrive to trick users. Since the messages appear to come from trusted cloud services, victims may click on malicious links or download infected files without hesitation. Cybersecurity researchers note that threat actors increasingly “exploit the trust and familiarity” associated with these platforms to deliver harmful links and files. For example, Microsoft observed that phishing campaigns abuse SharePoint, OneDrive and Dropbox links as a “defense evasion tactic,” ultimately aiming to steal credentials and launch Business Email Compromise (BEC) attacks.
Attackers use the cloud for both phishing and malware delivery. In a typical scenario, they first compromise a legitimate account (often via password spraying or earlier phishing) belonging to a trusted organization or vendor. Using that account, they upload a malicious file to its cloud storage (Google Drive, Dropbox, etc.) and share it with target recipients. The victim then receives an automated “file shared” notification from the cloud service. At this point, the attack chain proceeds as follows:
This full attack chain lets criminals “live off the land” by abusing trusted services. For example, a Microsoft security analysis explains that after a user logs into the malicious file, they see a preview with a “View message” link; clicking it takes them to the AiTM page where their password and MFA code are captured. The result is a complete takeover of the victim’s account without any obvious malware payload to trigger alerts.
Recent cyber campaigns illustrate how convincing these attacks can be. In one case, a group dubbed “CLOUD#REVERSER” used Google Drive and Dropbox as the staging ground for malware. Phishing emails with malicious ZIP attachments were sent to victims; the ZIPs appeared to be Excel files thanks to a hidden Unicode trick. When victims opened them, the code reached back to Google Drive and Dropbox to download additional malicious scripts, establishing persistence on the device.
Another example involves the Russian APT group Cozy Bear (APT29). They sent embassy staff fake “agenda” files hosted on Google Drive or Dropbox. Clicking these files deployed the sophisticated Cobalt Strike payload EnvyScout, giving attackers full control of the systems. Google and Dropbox eventually shut down those specific links, but the episode shows how state-sponsored actors exploit cloud platforms to spread malware and steal data.
More broadly, Microsoft and security researchers warn that threat actors have targeted SharePoint, OneDrive and Dropbox in opportunistic phishing campaigns since 2024. These attacks often use urgent file names like “Invoice” or “Compromised_Password_Reset” to trick users. They also exemplify the emerging use of phishing kits like Mamba 2FA, sold on underground forums, which can hijack even two-factor logins.
Because the lures come from trusted services, these phishing emails bypass many defenses. Traditional email filters are less likely to block a legitimate-looking SharePoint or Dropbox notification. Moreover, the files themselves can be armored (e.g. view-only PDFs) so that malware scanners can’t detect the malicious link inside. The victim often thinks “It must be safe if Google/Dropbox sent it,” making them less suspicious.
The consequences of falling for such an attack can be severe:
In short, cloud-based phishing is a potent vector for identity theft and financial fraud because it hijacks the inherent trust in popular storage services.
Fortunately, there are many defenses and best practices to reduce this risk. Security experts emphasize a layered approach combining user vigilance, technical safeguards, and training. Here are key recommendations:
By combining these steps – careful user behavior plus robust technical controls – the risk of falling for cloud storage phishing can be greatly reduced. No single measure is foolproof, but together they create multiple hurdles for attackers.
Cloud storage and collaboration tools are extremely useful, but we must remain cautious. Attackers are increasingly “living off trusted sites” by abusing Google Drive, Dropbox, OneDrive and similar services. Always treat unsolicited file share notifications with skepticism. Think twice before entering credentials, and keep your security practices up to date. With the right precautions – strong 2FA, verified sharing, user training, and modern security tools – you can enjoy the benefits of cloud collaboration without falling prey to phishing.
Stay vigilant, stay informed, and protect your data!
Read: Why Are Elite Dangerous Servers Going Down Unannounced?