SharePoint, OneDrive, and Dropbox used for Phishing Attacks

By: Bryson Medlock

A recent surge in phishing attacks highlights the exploitation of legitimate file-hosting services like SharePoint, OneDrive, and Dropbox for identity theft, according to a recent report by 微软 .

Threat actors are increasingly using these platforms to send phishing links that masquerade as genuine file-sharing notifications. These attacks often involve the delivery of links to malicious files under the pretense of legitimate business communication, bypassing security tools by leveraging trusted platforms. The attackers’ tactics, including the use of restricted file access and view-only sharing permissions, help them evade detection and deliver malicious content more effectively.

Method of Initiating Attacks

One of the more alarming aspects of these campaigns is their method of initiating attacks by compromising accounts at trusted vendors or partners. Once inside the supply chain, attackers distribute notifications to target users, convincing them to re-authenticate through seemingly legitimate file-sharing services. These notifications often lure users into re-entering their credentials, which are then harvested by attackers to steal session tokens. This technique allows attackers to bypass multifactor authentication (MFA) defenses, making traditional security measures less effective in preventing account takeovers.

Moreover, the social engineering techniques used in these phishing attempts are becoming more advanced. Attackers are increasingly employing time-sensitive restrictions on files, using urgency as a psychological trigger to prompt users to act quickly. The phishing messages are often crafted to appear as urgent requests related to financial transactions, document reviews, or critical IT issues, further increasing the likelihood that users will click on the malicious links without sufficient scrutiny.

Mitigating Risks

To mitigate these risks, organizations are encouraged to implement stronger security measures around file-sharing platforms. Microsoft advises businesses to enforce conditional access policies based on user risk, transition to passwordless authentication mechanisms, and ensure continuous monitoring of file-sharing services for anomalous activities. Additionally, employee education remains a crucial defense, as users need to recognize the warning signs of phishing attempts, especially when interacting with file-sharing notifications.

As attackers continue to refine their techniques and leverage trusted platforms, the future impact on both enterprises and their supply chains could be significant. Phishing campaigns that exploit trusted file-hosting services represent a growing threat that could lead to broader account compromise, lateral movement within networks, and increased susceptibility to business email compromise (BEC) schemes.