The Newest Type of Phishing Attack: Cloud-Based Documents

Phishing has become a well-known term, even showing up in prime-time commercials and rolling off the tongue of tech-savvy, scam-weary seniors. Despite the widespread awareness of phone, email, and even in-person phishing scams, new and creative attacks remain the bane of security staff. The latest phishing threat gaining traction? Cloud-based documents.

The Lure of Cloud-Based Documents

As Software as a Service (SaaS) platforms continue to gain popularity, they serve as an ever-more tantalizing target for attackers. One new attack vector that is becoming more widespread are SaaS applications such as Google Drive, Google Docs, and the like. A recent study from Proofpoint highlighted this vulnerability. And security experts warn that this threat is trending up. So how does it work and how can you protect your company?

A Pain in My SaaS

Proofpoint documented the process of combining phishing, malware, and Google Drive to successfully infect unsuspecting victims. The company did so by first uploading executable malware files to Google Drive, then creating a public link that they shared via a Google Doc. With so many Google Doc links being exchanged for collaborative business efforts, victims didn’t think twice before simply clicking the link. It was too late when they realized they had been scammed by a document-based phishing attack. This type of SaaS attack is fairly new, making it a relatively large security threat. Many users won’t recognize the potential danger of a Google Doc the way they would an email attachment. But all is not lost—the same smart security approach that works for other phishing vectors can be applied here.

Protecting Against Cloud-Based Document Attacks

Cloud-based attacks were included in the SC Magazine’s Top 5 Phishing Challenges of 2018 for good reason. According to a recent Ponemon Institute report, 63% of respondents said they have third parties accessing data in the cloud. So it’s easy to see how a phishing lure with an innocent-looking Google Doc link could seem innocuous to a user who regularly works on cloud-based apps with third-party collaborators.

This reality highlights two of the primary ways to defend against such attacks: security awareness training and penetration testing. By adding cloud-based document attacks to your ongoing security awareness training curriculum, your employees will become more vigilant and cautious about this potential risk. By adding penetration testing to your security approach, you can concretely quantify your company’s ability to detect and prevent cloud-based document and other social engineering attacks.