50% of malicious office documents were downloaded via Google Drive in 2021

William S. | February 09, 2022

Cybercriminals take advantage of legitimate companies' applications to carry out attacks. Widely used Google and Microsoft products often become attacker tools to spread malware because of the large userbase and trustable service, which convinces people to fall for hacker tricks more easily.

According to the data presented by the Atlas VPN team, users downloaded 50% of malicious office documents out of all malware from Google Drive in 2021. Furthermore, 37% of all malware downloads are malicious office documents.

The data is based on Netskope Threat Lab Cloud and Threat report, January 2022 Edition. The research covers various office documents from all platforms such as Microsoft Office 365, Google Docs, PDFs, etc.

Google Drive overtook the top spot from Microsoft OneDrive, which led malicious office document download apps in 2020 with 34%. Google Drive recently added a banner warning users of possibly malicious files to deter people from downloading suspicious documents.

Microsoft OneDrive represents 19% of malicious office documents of all malware downloads. For years, attackers have abused OneDrive by creating accounts specifically for hosting malware or hijacking them from legitimate users.

Another Microsoft product, Sharepoint, ranks third as victims used the application to download 15% of malicious office documents. Sharepoint is infamous for its exploitable vulnerabilities, which cybercriminals have used to carry out malware, ransomware, and phishing attack campaigns.

Google Gmail service attributed to 4% of malicious office documents of all malware downloads. At the same time, Box was responsible for 3% of office documents carrying malware. The rest, 9%, represented 198 other applications that cybercriminals used to spread malware through office documents.

Office documents used to spread malware

Cybercriminals deliver malicious office documents via cloud apps in a relatively straightforward manner. First, they create their free accounts, upload malicious files and share them publicly or with specific victims. Then the attacker just needs to wait until someone opens up the file and infects their device with malware.

In the first quarter of 2020, the percentage of malicious office documents out of all downloaded malware was 19%. However, in Q2 2020, the number jumped significantly to 46%. Such growth could be attributed to the Emotet malware spam campaign that delivered malware via weaponized office documents hosted in Box.

In Q3 and Q4 2020, the percentage of office documents being malware downloads declined to 36% and 29%, respectively. Another significant malware burst happened at the start of 2021 when malicious document downloads reached 43%. The percentage declined by 1% in the following quarter.

After a slight dip to 35% in Q3 2021, the percentage of malicious office documents settled at 37% in Q4 2021. The Emotet’s success led other cybercriminals to distribute malicious files with similar techniques. The simplicity and effectiveness of such attacks caused office documents to be represented in more than one-third of all malware downloads.

Cybercriminals abuse cloud applications for personal benefits because such services are gaining more users in recent times. Attackers can spread malware and steal data by targeting unsuspecting users with malicious documents. Securing your cloud apps with user authentication and threat monitoring tools will help mitigate malware attacks.

Privacy banner
William S.

William S.

Cybersecurity Researcher and Publisher at Atlas VPN. Focused on revealing the latest cybersecurity trends around the world.



© 2023 Atlas VPN. All rights reserved.