More than 400 cloud applications delivered malware in 2022, almost triple the amount Netskope researchers said they found in 2021. (Photo by Justin Sullivan/Getty Images)

Netskope reported Jan. 10 that more than 400 distinct cloud applications delivered malware in 2022 — nearly triple the amount seen the year before.

The researchers also found that 30% of all cloud malware downloads in 2022 originated from Microsoft OneDrive.

"Attackers are increasingly abusing business-critical cloud apps to deliver malware by bypassing inadequate security controls," said Ray Canzanese, threat research director at Netskope Threat Labs. "That’s why it’s imperative more organizations inspect all HTTP and HTTPS traffic, including traffic for popular cloud apps, both company and personal instances, for malicious content."

Mike Parkin, senior technical engineer at Vulcan Cyber, explained that threat actors switch tactics all the time, depending on what they find most effective and what defenses are easiest to get around. Parkin said the attackers shifting to cloud storage (such as Microsoft OneDrive) isn't a surprise because using it for day-to-day operations has been rising for a while. 

“Users are used to grabbing files from shared storage and there are fewer controls there than would be found on a more conventional website,” Parkin said. “The challenge for organizations that use cloud storage like this is to have the right tools in place to identify and eradicate infected files that are stored in their space or accessed by their users. That's separate from assuring their own applications are secure and pointing to safe files for their users and customers to access.”

Turning to SaaS applications has been a natural evolution given the notable surge in the adoption and utilization of these apps to drive the business, said Corey O’Connor, director of products at DoControl. O’Connor said content and collaboration applications such as Microsoft OneDrive and SharePoint, Box, DropBox, and Google Drive are leveraged by organizations of all sizes and types, and now security teams should consider them a Tier0 application.

“Trying to interject security controls that scale in line with SaaS utilization is difficult and requires automation — both in terms of preventative controls and detective mechanisms,” O’Connor said. “Security teams need to remediate access to malicious files to prevent becoming the next victim to a ransomware attack or a significant data breach. Being able to continuously monitor new files being uploaded to your SaaS applications — for previously discovered malicious indicators — and to quickly alert security teams as well as quarantine and remediate access to threats has become table stakes.” 

Chris Doman, co-founder and CTO of Cado Security, pointed out that SaaS applications are commonly used to host malware because they are free and easy for attackers to set up, and normally allowed through organizations' firewalls. 

"Hosting from providers such as Microsoft OneDrive is a well-known problem that companies face every day," Doman said. “Organizations need to know their cloud topology and implement a defense-in-depth strategy, including detection and investigation to quickly identify threats and stop them from spreading further.”