The systematic abuse of legitimate cloud applications has become a constant in the cybercriminal ecosystem. Throughout 2024, attackers continuously adapted their tactics, techniques and procedures, relentlessly seeking new ways to bypass security defenses.
This evolution reflects both their shifting strategies and the changing threat landscape – a trend expected to persist into 2025.
One of the most surprising findings from the Netskope Cloud and Threat Report 2025 was that throughout 2024 GitHub surpassed Microsoft OneDrive as the most exploited cloud application for delivering malicious content.
In 2023, this unwanted title was led by Microsoft's popular cloud storage service, which accounted for nearly a quarter of all malicious downloads. It was followed by another Microsoft service, SharePoint, at 11%, while GitHub – also owned by Microsoft – ranked third with 10%.
The Rise of GitHub Exploits
Throughout 2024, the landscape shifted dramatically: GitHub surged to the top of the most abused cloud services with 15%. This overtook Microsoft OneDrive, which fell to second place at 10%, followed by Google Drive at 6.7%. Meanwhile, SharePoint dropped out of the top five most abused cloud services altogether.
On one hand, the lower percentages reinforce a trend first observed in 2023 – greater diversification and fragmentation in the cloud services exploited by attackers. By spreading their malicious infrastructure across multiple legitimate applications, threat actors add extra layers of evasion, making detection and defense more challenging.
On the other hand, GitHub's rise reflects both its appeal from an attacker's perspective and the increasing prevalence of supply chain attacks. The platform’s flexibility makes it ideal for embedding malware into rogue projects disguised as legitimate packages or using typosquatting to deceive victims.
This tactic, now commonly employed by both opportunistic and state-sponsored threat actors, exploits the implicit trust placed in a service widely used for professional purposes.
Cloud Applications Are the Top Targets
Microsoft's position as the most exploited service aligns with another key finding in the report: in 2024, cloud services were the primary target of phishing campaigns, accounting for over 27% of clicks.
Among these, Microsoft was the most targeted brand, with attackers constantly seeking Live and 365 credentials.
Microsoft credentials are particularly valuable to a specific class of cybercriminals known as initial access brokers, who sell compromised accounts on illicit marketplaces. Other criminals can then monetize these accounts in multiple ways.
A legitimate Microsoft 365 or Google Workspace account, for example, can be used to conduct Business Email Compromise scams and send phishing links that – when coming from a trusted source – are more likely to bypass email security filters, or host malicious payloads. This explains why OneDrive and Google Drive consistently rank among the top applications for malware downloads.
Cloud services are also commonly exploited for command-and-control operations and data exfiltration, a role that becomes even easier when the service, like Microsoft OneDrive, offers APIs.
In general, the availability of APIs makes a cloud service particularly attractive for such purposes. It is no coincidence that a growing number of campaigns now leverage services like Telegram and Discord to receive attacker commands and/or exfiltrate victim data.
Reducing the Risks Posed by Exploited Cloud Services
According to Netskope Threat Labs, the average enterprise user interacts with approximately 20 cloud applications each month, while the top 1% of enterprise users reach an astonishing 94 apps per month in the healthcare sector – the highest among all industries.
This widespread and often uncontrolled adoption of cloud services within organizations explains why attackers are constantly targeting new applications, posing a significant risk to enterprises.
To mitigate the risk of malicious content being delivered through legitimate cloud services, organizations should block access to apps that do not serve a legitimate business purpose and enforce granular conditional access policies.
For example, restricting uploads and downloads for personal apps or third-party instances of enterprise-approved applications can help prevent data exfiltration.
Additionally, all HTTP and HTTPS traffic should be inspected for malicious content, even if some cloud service providers discourage TLS decryption for their traffic. This step is essential, as it enables the detection of threats originating from compromised instances or instances deliberately created by attackers.
Finally, user education plays a crucial role in strengthening security. Enforcing real-time user coaching is a simple yet effective way to remind employees of security policies while simultaneously reducing the attack surface.
Protecting Cloud Services Going Forward
As cloud adoption continues to accelerate, so too does its exploitation by cybercriminals. The findings from 2024 highlight a clear trend: attackers are diversifying their tactics, shifting to new platforms like GitHub while maintaining their focus on high-value targets such as Microsoft services.
This evolving landscape underscores the need for organizations to remain vigilant, proactively implementing security controls to reduce their exposure to cloud-based threats. By enforcing strict access policies, inspecting encrypted traffic, and prioritizing user education, enterprises can strengthen their defenses against an increasingly sophisticated and adaptable adversary.
Looking ahead to the rest of 2025, a proactive and layered security approach will be crucial in mitigating the risks posed by the continued abuse of cloud services.
Cloud Security at Infosecurity Europe 2025
Cloud security will be a major focus at this year’s Infosecurity Europe event, both across the talks on stage and across the exhibition floor.
On Day 1, Tuesday June 3, at 15.15, Kaduri will deliver a talk on the Keynote Stage titled ‘The Infosec Big Fat Annual Cloud Security Update’.
In this presentation, she will set out the biggest cloud threats to look out for in the coming year, what we can learn from the latest novel threats and how to update security practices for the year ahead.
Netskope will be exhibiting at the event, and you can catch them on Stand D20 on the show floor.
The 2025 event will celebrate the 30th anniversary of Infosecurity Europe. Register here to attend and discover the latest developments and research in cybersecurity.