Introduction
In recent years, phishing campaigns have increasingly exploited trusted online document platforms to bypass secure email gateways (SEGs) and facilitate credential theft. This trend highlights the growing sophistication of attackers who leverage these platforms to enhance the legitimacy of their phishing attempts.
Description
A growing trend in phishing campaigns involves the exploitation of trusted online document platforms [6], such as Adobe [2] [3] [6], DocuSign [1] [2] [3] [4] [5] [6], Dropbox [2] [3] [4] [5] [6], Canva [2] [3] [4] [5] [6], Google Docs [2] [3] [4] [5], SharePoint [1] [2] [3] [4], and Zoho [2] [3] [4] [5] [6], to bypass secure email gateways (SEGs) and facilitate credential theft [6]. In 2024 [2] [3] [4] [5] [6], these platforms accounted for 8.8% of all credential phishing attempts [3] [4] [6], with 79% of incidents focused on stealing user credentials [6]. Attackers often leverage automatic notifications from these reputable domains to enhance their legitimacy [3], employing sophisticated tactics that include generative AI to craft polished phishing emails that mimic legitimate writing styles and personalize messages using publicly available data.
Notably, Dropbox emerged as the most frequently targeted service [4], representing 25.5% of abuses [2], largely due to its widespread use among individuals and companies [4], which limits the effectiveness of SEG blocking. Adobe [2] [3] [4] [5] [6], a long-trusted brand [4], was involved in over 17% of incidents [2], often facing delays in takedown efforts due to high traffic and its PDF hosting capabilities. DocuSign was significantly abused as well, comprising over 16% of the online document services exploited [2], frequently utilizing QR codes in links to complicate post-incident analysis, particularly in HR contexts [4]. Additionally, attackers have been known to spoof requests from trusted document platforms like DocuSign to deceive users into entering credentials.
Google Docs accounted for 11% of abuses [2], primarily used for both credential phishing and malware delivery through embedded links, leveraging the trust SEGs place in Google services [4]. SharePoint contributed 17% to phishing attempts [2], often through impersonation tactics [2], capitalizing on its popularity in workplace environments [4]. Brand impersonation remains a common tactic [1], with threat actors spoofing major brands [1], particularly document sharing services like Microsoft’s OneDrive and SharePoint [1], to trick users into approving fraudulent document requests.
Canva and Zoho were less frequently targeted [2], with Canva at just under 9% and Zoho at 4% [2]. However, Zoho experienced a notable spike in abuse towards the end of 2024 [2] [4], indicating a shift in threat actor strategies [2]. Attackers are increasingly abusing trusted document-signing and file-hosting services to distribute phishing lures [1], uploading malicious content to reputable providers and crafting phishing emails that reference these platforms [1], misleading vigilant users who check URLs [1]. The use of on-device AI for monitoring such threats is becoming critical [5], as traditional defenses may not suffice against these sophisticated phishing tactics [5]. Overall, these trusted platforms are increasingly being weaponized for phishing [2], complicating detection and response efforts while evolving to include sophisticated domain impersonations and the use of lookalike domains that evade traditional email filters [1].
Conclusion
The exploitation of trusted document platforms for phishing purposes presents significant challenges for cybersecurity. As attackers continue to refine their tactics, organizations must adopt advanced threat detection measures, such as on-device AI [5], to effectively counter these sophisticated threats. Future efforts should focus on enhancing the resilience of email security systems and improving user awareness to mitigate the risks associated with these evolving phishing strategies.
References
[1] https://www.csoonline.com/article/3850783/11-ways-cybercriminals-are-making-phishing-more-potent-than-ever.html
[2] https://cofense.com/blog/threat-actors-abuse-trust-in-cloud-collaboration-platforms
[3] https://thenimblenerd.com/article/phishing-frenzy-how-trusted-document-platforms-became-cybercriminals-best-friends/
[4] https://securityboulevard.com/2025/03/threat-actors-abuse-trust-in-cloud-collaboration-platforms/
[5] https://www.forbes.com/sites/zakdoffman/2025/03/25/fbi-warns-chrome-edge-safari-users-check-this-to-stop-attacks/
[6] https://www.infosecurity-magazine.com/news/threat-actors-abuse-cloud-platforms/
