Threat Actors Abuse Trust in Cloud Collaboration Platforms

A growing number of phishing campaigns have been observed leveraging trusted online document platforms to evade secure email gateways (SEGs) and steal credentials.

Threat analysts at Cofense Intelligence have identified that platforms such as Adobe, DocuSign, Dropbox, Canva and Zoho are being misused in phishing attacks due to their widespread adoption by businesses and individuals.

In 2024, these online document services reportedly accounted for 8.8% of all credential phishing campaigns, with 79% of observed cases involving credential theft attempts.

How Threat Actors Exploit Document Platforms

In a new report published today, Cofense explained how these platforms are trusted within corporate and personal environments, making it easier for attackers to bypass security filters.

Some services automatically send notifications to users when a document is shared, further legitimizing the phishing attempt. SEGs often permit these emails due to their origins from reputable domains, allowing malicious links to reach recipients.

Additionally, some services, such as DocuSign, have features that inadvertently benefit attackers, such as link expiration mechanisms that hinder post-attack investigations.

Malicious documents on platforms like Adobe and Dropbox can also stay active for days before takedown requests are processed, giving attackers ample time to execute their campaigns.

Read more on how attackers exploit corporate trust to execute phishing attacks: New Microsoft Teams Phishing Campaign Targets Corporate Employees

Most Commonly Abused Platforms in 2024

The research highlights six platforms that were heavily misused:

• Dropbox – Most exploited at 25.5%; phishing files remain online longer due to high traffic
• Adobe – Used in 17% of campaigns, mainly for malicious PDFs that bypass SEGs
• SharePoint – 17%; attackers impersonate colleagues or business partners
• DocuSign – 16%; frequently used in HR-related phishing, and in 6% of QR code phishing links
• Google Docs – 11%; often distributing malware via embedded links
• Canva – Just under 9%; phishing via PDF and multimedia sharing
• Zoho – 4%, with a significant spike in abuse in December 2024 to early 2025

Security Implications and Prevention Measures

While these platforms work to mitigate abuse, the volume of phishing campaigns makes complete prevention difficult.

Organizations and individuals should implement additional security layers, such as user education, behavioral analysis tools and multi-factor authentication, to reduce the risk of credential theft.

Monitoring for suspicious document-sharing activity can also help detect phishing attempts before they lead to data breaches.

Image credit: tovovan / Shutterstock.com