As organizations worldwide are adopting cloud collaboration tools in record numbers threat actors are abusing Microsoft and Google’s popular infrastructure to host and send threats across Office 365, Azure, OneDrive, SharePoint, G-Suite, and Firebase storage, according to Proofpoint.
Last year, 59,809,708 malicious messages from Microsoft Office 365 targeted thousands of Proofpoint customers. And more than 90 million malicious messages were sent or hosted by Google, with 27% sent through Gmail, the world’s most popular email platform. In Q1 2021, Proofpoint observed seven million malicious messages from Microsoft Office 365 and 45 million malicious messages from Google infrastructure, which far exceed per quarter Google-based attacks in 2020.
The malicious message volume from these trusted cloud services exceeded that of any botnet in 2020, and the trusted reputation of these domains, including outlook.com and sharepoint.com, increases the difficulty of detection for defenders, Proofpoint said.
This authenticity perception is essential, as email recently regained its status as the top vector for ransomware and threat actors increasingly leverage the supply chain and partner ecosystem to compromise accounts, steal credentials, and siphon funds.
Given the level of access that can be granted from a single account, over the last year threat actors targeted 95% of organizations with cloud account compromise attempts, and more than half have experienced at least one compromise. Of those compromised, over 30% experienced post-access activity including file manipulation, email forwarding, and OAuth activity. If stolen, threat actors can leverage credentials to log into systems as imposters, move laterally across multiple cloud services and hybrid environments, and send convincing emails cloaked as a real employee, orchestrating potential financial and data loss.
Ryan Kalember, EVP, Cybersecurity Strategy, says, “Our research clearly demonstrates that attackers are using both Microsoft and Google infrastructure to disseminate malicious messages and target people as they leverage popular cloud collaboration tools. When coupled with heightened ransomware, supply chain, and cloud account compromise, advanced people-centric email protection must remain a top priority for security leaders.