File-sharing phishing is becoming a preferred tactic for cybercriminals. A new report from Abnormal Security finds that file-sharing phishing attacks increased 350 percent between June 2023 and June 2024.

As with many phishing attacks, the goal is to trick users into installing malware or disclosing sensitive information. However, the term “phishing” is somewhat of a misnomer as the attacks may not involve phishing emails. Instead, file-sharing phishing exploits users’ trust in well-known platforms, such as Dropbox, Google Docs, Teams and other file-sharing and collaboration tools. Users are accustomed to receiving documents from these platforms, and when the file appears to come from a trusted source they are likely to click on the link.

How File-Sharing Phishing Works

A file-sharing phishing attack usually begins with the threat actor gaining unauthorized access to a legitimate user’s account on a file-sharing platform. Often, the user is a trusted vendor or partner of the target organization. The attacker hosts a malicious file on the file-sharing platform and shares it with the target.

The attacker further gains the recipient’s trust by naming the file based on familiar topics or conversations. For example, if the recipient had been working on a project with the vendor, the attacker might name the file “Project Update Report.” Attackers may also impersonate other departments within the organization, such as HR or IT, and create a sense of urgency. A file that appears to come from HR might be named “Urgent: Update to 2025 Benefits Elections.”

After clicking the link, the user is directed to authenticate in order to access the file. The file takes the user to a web page that requires the user’s password and multi-factor authentication code. The attacker obtains the user’s session token, which can be used for the next stage in the campaign.

Why File-Sharing Phishing Is Successful

Traditional phishing attacks often raise red flags because they appear out of the blue and ask for something extraordinary with a heightened sense of urgency. The phishing email may have a suspicious attachment or embedded hyperlink. Many organizations use email security controls to prevent phishing from reaching users’ inboxes. Additionally, users are increasingly wary of phishing and often spot common techniques.

In 60 percent of file-sharing phishing attacks, the threat actor uses the automated notification features of the file-sharing platform. Because the email lacks the hallmarks of phishing and appears to be coming from a trusted vendor, it is likely to bypass the organization’s security controls. The pretext of the attack exploits trusted relationships and conversations, making it difficult for users to detect.

Which Industries Are Most at Risk?

The Abnormal Security study found that the finance industry is the most targeted, accounting for 10 percent of attacks. Construction and engineering firms were the second most vulnerable, followed by property management and real estate companies.

Organizations in these sectors frequently rely on file-sharing platforms to exchange documents securely, giving threat actors ample cover for their attacks. These organizations are also accustomed to handling time-sensitive transactions with large payouts. It’s easy for users to miss the attack among all the other urgent documents.

How to Protect Your Organization

Despite the difficulty in detecting file-sharing phishing attacks, users should be educated in their techniques. Organizations should modify their security awareness training programs to include a discussion of file-sharing phishing. Often, an additional measure of user scrutiny is all that stands between the organization and a security incident.

Organizations should also adjust their security policies and controls to detect file-sharing phishing attacks that don’t come directly from trusted platforms. However, the best defense is AI-enabled security tools that can analyze user activity, email content, communications and interactions to establish a baseline of known behavior. AI-enabled tools can then detect deviations from that baseline that might indicate an attack.

Technologent’s cybersecurity team is here to help protect your organization against file-sharing phishing attacks. Contact us to schedule a confidential consultation to discuss the various tools, techniques and strategies.

Technologent
Post by Technologent
March 16, 2025
Technologent is a women-owned, WBENC-certified and global provider of edge-to-edge Information Technology solutions and services for Fortune 1000 companies. With our internationally recognized technical and sales team and well-established partnerships between the most cutting-edge technology brands, Technologent powers your business through a combination of Hybrid Infrastructure, Automation, Security and Data Management: foundational IT pillars for your business. Together with Service Provider Solutions, Financial Services, Professional Services and our people, we’re paving the way for your operations with advanced solutions that aren’t just reactive, but forward-thinking and future-proof.

Comments