Demo Request
Take a personalized product tour with a member of our team to see how we can help make your existing security teams and tools more effective within minutes.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Same Tricks, Different Methods – Phishing Via SaaS!

Oz Wasserman
May 10, 2023
4 min read

For many years, phishing has been one of the top attack vectors on the security team’s mind. According to APWG, the second quarter of 2022 alone had 1,097,811 total phishing attacks observed, a new record and the worst quarter for phishing that APWG has ever seen. As attacks grow in number, so does their sophistication. Adversaries are crafting better messages, going through deeper investigations to craft more targeted attacks, and using phishing kits to spread these attacks across organizations. It would appear fraudsters and cybercriminals behind the various tactics to fool and deceive never rest and now are looking to exploit SaaS based tools.  Reco and its customers have observed a new phishing method that goes beyond email and goes directly into SaaS collaboration tools, finding new and crafty ways to evade traditional phishing solutions.

As is common, most phishing attacks are delivered through email. This is because cyber criminals know this has been the main communication medium for companies to transfer information in and out of the organizations for decades. Because of that, most vendors that detect phishing attacks focus on email while using techniques such as URL and attachment scanning to try and find malicious attachments or links. Some vendors might also look at behavioral patterns on the sender and recipients of the email in order to try and see whether communication patterns via email are normal or abnormal. However, the phishing technique we are now observing within  Reco’s platform and verified by customers is going beyond email and instead goes straight through SaaS collaboration tools.

File sharing applications such as Onedrive, Google drive and Box allow for sharing within their tools, easily opening up the possibility for a total stranger to the organization to share a file with an employee. The way this new phishing scheme works is as follow:

  • Someone outside of the organization creates a file in one of the file sharing applications, makes it look as legitimate as possible for the targeted sender
  • Within the file sharing application, the person clicks share and choses the individual they want to target
  • The file sharing platform allows for a comment to ensure the person can personalize the information sent so it looks even more legitimate
  • Once the external person sends the file, the recipient from the organization targeted receives the file with the comment from the external user
  • When the recipient opens the file, the link to the phishing page can be embedded waiting to be clicked on or the malware is directly embedded via macro code

What is interesting about this method, is that it can get into the organization in various ways, depending on the settings of the organization’s file sharing tools. First, these file sharing services are at times sending automatic emails to employees letting them know that a file was shared with them, while including the personalized sharing message in the email. The From address of the email for Gmail users is actually making it look like a legitimate email address.

In addition to that, at some organizations we currently work with, there are Slack integrations with these file sharing tools, and every single time a file is shared via google drive, the user that the file is shared with receives a notification with the personalized message and the file itself. When the notification comes through within Slack, the instant messaging nature creates the notion that communication there is trusted and legit and thus users be even more likely to open the file.

We decided to try this form of phishing out for ourselves and leveraged the pattern of communication used by most organizations today to see what it looks like. We mimicked the communication between an external person with a private gmail account to our head of product marketing at Reco. You can see in this example that the file is being communicated as a marketing communication budget plan, and that the external user wrote a personalized message to direct the recipient to go into the link within the file and open other marketing budget plans, where the external user can apply the phishing technique with a fake login page. It is definitely worth mentioning that at times, even just opening the file can execute a macro function on the excel spreadsheet and install malware on the victim’s computer, all while evading traditional security tools and using the file sharing legit communication patterns to gain credibility with the victim.

The email that was received after the file was shared with the employee at Reco, pay attention to the from address ( and the personalized message that was sent via the file sharing platform.

The notification received via Slack when the private gmail address shared the file with our employee at Reco.

The file sent to Reco with the phishing link in it (see the reference to in the picture) .

As mentioned this type of activity is also being seen first hand by some of our customers; “We see an increase in attempts to phish our employees, while using new and interesting techniques through Google docs” says Xin Chen from the security team at Homelight. “We at Homelight have a Slack integration with our Google drive to enhance collaboration between teams, but in this case it notifies the user about the file shared and increases the risk of our employees opening these files from external attackers. We are happy to have a tool like Reco to help us address this issue”

At Reco, we built a data security detection engine with advanced analytics that allows us to quickly surface abnormal events that are happening with files that are shared in and out of the organization. Leveraging our contextual graph, we are able to see who has shared which files with the recipient before, and clearly see that the user outside of the organization that uses a private gmail account is not one of them. As a result, Reco will raise a high risk level finding and provides the security team with a remediation workflow based on their needs: either restrict the access to the file from anyone in the organization, or even allowing the security team to gain access to this file to look at its legitimacy once its shared from a never seen external email address.

In the example below, you can see the document shared with our head of product marketing (IC-Marketing-Communication-Budget-Plan-11037.xlsx), including who shared it, when was it shared, and whether the user is authenticated by Google. At Reco, we take the information from Google and correlate it within our contextual graph to see whether we have seen that user before, and how frequent is he communicating with the organization.

The raw information of files shared with our head of product marketing.

In order for your organization to protect their data and secure themselves from such phishing attacks, we suggest implementing a solution like Reco to help prevent SaaS data attacks from happening and to also have settings in place to reduce risk

  • First, ensure admins configure warning messages on external users via Gmail (or use this link if you are using Microsoft 365). This will alert users to treat any external information sharing with caution
  • Ensure you can detect and remediate file sharing attempts, even if they come directly from the file sharing tools themselves

Contact us to learn how a SaaS security solution can help you defend against malicious file sharing.


Oz Wasserman

Technical Review by:
Gal Nakash
Technical Review by:
Oz Wasserman

Table of Contents
Get the Latest SaaS Security Insights
Subscribe to receive weekly updates, the latest attacks, and new trends in SaaS Security
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.