Mike Britton, CISO at Abnormal Security, tackles the threat of file sharing phishing attacks and how to stop them from harming your organisation.

File-sharing platforms have seen a huge boost in recent years as remote and hybrid workers look for efficient ways to collaborate and exchange information – it’s a market that’s continuing to grow rapidly, expected to increase by more than 26% CAGR through to 2028

Tools like Google Drive, Dropbox, and Docusign have become trusted, go-to tools in today’s businesses. Cybercriminals know this and unfortunately, they are finding ways to take advantage of this trust as they level up their phishing attacks. 

According to our recent research, file-sharing phishing attacks – whereby threat actors use legitimate file-sharing services to disguise their activity – have tripled over the last year, increasing 350%.

These attacks are part of a broader trend we’re seeing across the threat landscape, where cybercriminals are moving away from traditional phishing attacks and toward sophisticated social engineering schemes that can more effectively deceive human targets, while evading detection by legacy security tools. 

As employees become more security conscious, attackers are adapting. The once telltale signs of phishing, like poorly written emails and the inclusion of suspicious URLs, are quickly fading as cybercriminals shift to more subtle and advanced tactics, including exploiting file-sharing services.   

So, what do these attacks look like? And what can organisations do to prevent them? 

How file-sharing phishing attacks work

All phishing attacks are focused on exploiting the victim’s trust, and file-sharing phishing is no different. In these attacks, threat actors impersonate commonly used file-sharing services and trick targets into sharing their credentials via realistic-looking login pages. In some cases, cybercriminals even exploit real file-sharing services by creating genuine accounts and sending emails with legitimate embedded links that lead them to these fraudulent pages, or otherwise expose them to harmful files. 

They will often use subject lines and file names that are enticing enough to click without arousing suspicion (like “Department Bonuses” or “New PTO Policy”).  Plus, since many bad actors now use generative AI to craft their communications, phishing messages are more polished, professional, and targeted than ever.

We found that approximately 60% of file-sharing phishing attacks now use legitimate domains, such as Dropbox, DocuSign, or ShareFile, which makes these attacks especially challenging to detect. And since these services often offer free trials or freemium models, cyber criminals can easily create accounts to distribute attacks at scale, without having to invest in their own infrastructure. 

While every industry is at risk for file-sharing phishing attacks, we found that certain industries were easier to target than others. The finance sector, for example, frequently uses file-sharing and e-signature platforms to exchange documents with partners and clients, and usually amid high pressure, fast moving transactions. File-sharing phishing attacks that appear time sensitive and blend in seamlessly with legitimate emails are unlikely to raise red flags.

Why file-sharing phishing attacks are so challenging to detect

File-sharing phishing attacks demonstrate just how effective (and dangerous) social engineering can be. Because these attacks appear to come from trusted senders and contain seemingly innocuous content, they feature virtually no indicators of compromise, leading even the most security conscious employees to fall for these schemes.

And it’s not just humans that these attacks are deceiving. Without any malicious content to flag, these attacks can also bypass traditional secure email gateways (SEGs), which rely on picking up on known threat signatures such as malicious links, blacklisted IPs, or harmful attachments. Meanwhile, socially engineered attacks that appear realistic—including those that exploit legitimate file-sharing services—slip through the cracks. 

A modern approach to mitigating social engineering attacks

While security education and awareness training will always be an important component of any cybersecurity strategy, the rate at which social engineering attacks are advancing means that organisations can no longer depend on awareness training alone. 

It’s time that we rethink their cyber defence strategies, focusing on capabilities to detect the more subtle, behavioural signs of social engineering, rather than spotting the most obvious threats.

Advanced threat detection tools that employ machine learning, for example, can analyse patterns around a user’s typical interactions and communication patterns, email content, and login and device activity, creating a baseline of known-good behaviour. Advanced AI models can then detect even the slightest deviations from that baseline, which might signal malicious activity. This allows security teams to detect the threats that signature-based tools (and their own employees) might miss. 

As cybercriminals continue to evolve their attack tactics, we have to evolve our cyber defences in kind if we hope to keep pace. The static, signature-based tools of yesterday simply can’t keep up with how quickly social engineering techniques are advancing. The organisations that embrace modern, AI-powered threat detection will be in the best position to enhance their resilience against today’s – and tomorrow’s – most complex attacks.

  • Cybersecurity
  • People & Culture

Related Stories

We believe in a personal approach

By working closely with our customers at every step of the way we ensure that we capture the dedication, enthusiasm and passion which has driven change within their organisations and inspire others with motivational real-life stories.