A report has provided a glimpse of how widely Google Drive is exploited by attackers to spread malware. The report states that, in 2021, around 50% of malicious office documents were delivered using Google Drive.

The abuse of legitimate hosting platforms

The data is based on Netskope’s report and covers different office documents such as Office 365, Google Docs, and PDFs, among others. It further suggests that 37% of all malware downloads are malicious office documents.
  • Until 2020, Microsoft OneDrive was the major source of malicious office documents, with a 34% share of all malicious document downloads.
  • However, that changed in 2021 with Google Drive taking over OneDrive. Microsoft OneDrive has the second-highest share at 19%.
  • Sharepoint is in the third position from where 15% of victims downloaded malicious office documents. This was followed by Gmail and Box at 4% and 3%, respectively, while the rest apps combinedly stood at 9%.

The most common method of propagation

Cloud services continue to witness huge number of sign-ups as more and more businesses nowadays operate from there.
  • Cybercriminals create free accounts on cloud apps hosting services, upload malicious files and share them publicly or with selected individuals. 
  • Then, they wait until some unsuspecting users open up the file and infect their device with enclosed malware.

Additional insights

The report provides several statistics showing how the trend of using malicious documents has changed in the past two years.
  • In the beginning of 2021, malicious document downloads were observed at 43%. 
  • The number of malicious doc declined by 1% in the next quarter. In Q3 2021, it was at 35%.
  • But, the share of malicious office documents again increased to 37% in Q4 2021.


The use of legitimate platforms from Microsoft and Google has become very popular among cybercriminals. Thus, users who have a habit of downloading or receiving documents from unknown sources or emails should stay alert. Additionally, organizations must secure their cloud apps with user authentication and threat monitoring tools.

Cyware Publisher