Trusted Cloud Storage Attacks: How Attackers Hide Inside SharePoint, OneDrive, Google Drive, and Dropbox

Your security tools are watching for connections to suspicious servers. Attackers stopped using suspicious servers. Today, malicious command-and-control traffic runs through SharePoint, OneDrive, Google Drive, and Dropbox — the same platforms your employees use all day. The traffic looks identical to normal business activity. It passes right through. That is the core problem these attacks exploit, and it is one of the hardest detection challenges small and mid-sized businesses face right now.

1. What “Living-Off-Trusted-Sites” Actually Means
2. How Attackers Build Command-and-Control Infrastructure in Cloud Storage
3. What CISA and Microsoft Threat Intelligence Are Saying
4. Real-World Examples: When Cloud Storage Became the Attack Channel
5. Who Is Most at Risk and Why Small Businesses Are a Primary Target
6. Defense Posture: What a Well-Configured Environment Does Differently
7. What to Ask Your IT Firm Right Now

What “Living-Off-Trusted-Sites” Actually Means

The technique behind these intrusions is called “living-off-trusted-sites” — abbreviated LoTS in threat research. It is a direct evolution of “living-off-the-land,” where attackers use tools already installed on a victim’s machine — like PowerShell or Windows Management Instrumentation — rather than dropping their own malware. LoTS applies the same logic to the network layer.

Instead of hosting payloads on attacker-owned servers that threat intelligence feeds might flag within hours, attackers upload malicious files, configuration data, and instruction sets to legitimate cloud platforms. Their implants then reach out to Google Drive or OneDrive exactly the way your browser does: over HTTPS, to a fully trusted domain, with a valid certificate.

From a network monitoring standpoint, there is often no observable difference between an employee downloading a shared document and an implant pulling its next instruction set from a folder an attacker controls. That asymmetry is the entire point of this approach.

How Attackers Build Command-and-Control Infrastructure in Cloud Storage

The mechanics are straightforward, which makes them more dangerous. Here is the sequence threat researchers have documented across multiple campaigns:

• Initial access: A phishing email or compromised account delivers the first foothold — often a document or script that installs a lightweight implant on the victim machine.
• Cloud account creation or hijacking: The attacker either registers a cloud storage account under a throwaway identity or uses one already compromised in an earlier breach.
• File-based command channel: The implant polls a specific file in that cloud account at regular intervals. The attacker updates the file with new instructions; the implant reads and executes them.
• Exfiltration over the same channel: Stolen data — credentials, documents, reconnaissance results — is uploaded back to the same cloud folder for the attacker to retrieve.
• Cleanup and persistence: All traffic flows over standard HTTPS to trusted domains. Firewall logs show nothing unusual. The attacker maintains access for weeks or months without triggering conventional alerts.

Some variants go further. Researchers have documented implants that use the cloud platform’s own API for communication — meaning the traffic is not just going to a trusted domain, it is using the exact same API calls that legitimate apps like Microsoft 365 integrations or backup tools generate. Distinguishing malicious API calls from legitimate ones without behavioral analytics is extremely difficult. That precise quality is what makes this method so effective against organizations without mature detection capabilities.

What CISA and Microsoft Threat Intelligence Are Saying

This is not a theoretical attack class. Both CISA and Microsoft have published detailed reporting on threat actors actively using these techniques.

Microsoft’s threat intelligence team has tracked multiple advanced persistent threat groups using OneDrive as a command-and-control channel. In public reporting on a group Microsoft tracks as Polonium — assessed to operate out of Lebanon with ties to Iranian intelligence — Microsoft documented the use of OneDrive folders to pass instructions to implants and collect output, all over Microsoft’s own infrastructure, against targets in Israel.

Microsoft’s Security Blog has documented the same techniques used against Ukrainian organizations by state-sponsored actors, confirming that weaponizing trusted cloud storage is not an isolated tactic but a repeatable, scalable playbook.

CISA’s best practices for securing Microsoft 365 environments specifically address the risks of over-permissioned cloud accounts and the difficulty of distinguishing legitimate from malicious cloud activity without proper logging and behavioral baselines.

A CISA advisory released jointly with cybersecurity agencies across the US, UK, Canada, Australia, and New Zealand highlighted that attackers are actively exploiting trusted service relationships and cloud infrastructure to move laterally and persist in target environments. It noted explicitly that small businesses connected to larger supply chains are frequently used as stepping stones — their defenses are lighter, but their access is valuable.

The pattern holds across nation-state actors and financially motivated criminal groups alike. This class of intrusion works, scales, and is increasingly accessible to lower-sophistication attackers who can simply copy the playbook that advanced groups proved out first.

Real-World Examples: When Cloud Storage Became the Attack Channel

Several documented campaigns show how these intrusions play out in practice:

• Polonium / OneDrive (2022): Microsoft disrupted a Polonium campaign that had used OneDrive as its command-and-control backbone against more than 20 organizations. Microsoft’s response included suspending over 20 malicious OneDrive accounts — a detail that underscores how deeply embedded the attack infrastructure had become in legitimate Microsoft services.
• APT29 / Dropbox and Google Drive (Cloaked Ursa): Palo Alto Networks’ Unit 42 and other researchers documented a campaign attributed to APT29 — the Russian state group behind the SolarWinds attack — that used Dropbox and Google Drive as command-and-control channels in a 2022 campaign targeting diplomatic entities in Europe and the Americas. The group chose these platforms specifically because outbound connections to them are almost never blocked by enterprise or small business firewalls.
• Graphite malware / OneDrive (2022): Researchers at Trellix documented a campaign using a malware family called Graphite, which used Microsoft’s Graph API — the legitimate API underlying OneDrive — as its command-and-control channel. The implant authenticated to Microsoft’s own infrastructure to receive commands. Without monitoring of Graph API behavioral patterns, this traffic was invisible to most detection tools.
• BazarCall / SharePoint delivery: Multiple campaigns distributing BazarLoader and its successors used SharePoint-hosted documents as the initial payload delivery mechanism. Links to SharePoint documents pass through most email security gateways unchecked because the SharePoint domain is on every allowlist by default.

None of these campaigns were limited to large enterprises. The technique scales to any organization using these platforms — which today means virtually every business of any size.

Who Is Most at Risk and Why Small Businesses Are a Primary Target

Large enterprises run behavioral analytics, monitor cloud API activity, and correlate signals across thousands of endpoints. Small businesses almost never have that capability. Adversaries who rely on cloud storage as attack infrastructure know this gap well.

A business with 20 to 150 employees typically has a firewall blocking known-bad IP addresses and domains, an email filter scanning attachments, and an endpoint protection tool. None of those controls are designed to detect malicious use of SharePoint or Google Drive. You cannot block OneDrive without breaking Microsoft 365. An email filter cannot flag a shared document link from a legitimate SharePoint tenant. An endpoint tool may catch a known malware signature, but it will often miss a novel implant that does nothing on-disk — it simply polls a cloud file every few minutes.

Small businesses are also attractive for a second reason: supply chain access. A small accounting firm, a consulting company, or a logistics vendor typically has access to the systems of several larger clients. Compromising the small business is often easier than attacking the large client directly, and it achieves the same result. CISA has published explicit warnings about this dynamic.

Organizations with remote or hybrid workforces carry additional exposure. Remote workers generate high volumes of cloud storage traffic as a matter of routine. Malicious polling of a OneDrive file from a home office laptop looks identical to normal cloud sync activity in a log.

Defense Posture: What a Well-Configured Environment Does Differently Against These Attacks

Blocking trusted cloud storage is not a viable defense. The goal is not to prevent access to SharePoint or Google Drive — it is to make malicious use of those services detectable. That requires a different layer of controls than most small businesses currently have.

A properly structured defense posture for this threat class includes several components working together:

• Behavioral endpoint monitoring: Signature-based detection is not enough here. The endpoint layer needs to monitor process behavior — specifically, which processes make outbound network connections, how frequently, and to what URLs. An endpoint agent that detects PowerShell connecting to OneDrive every four minutes via an unusual parent process has found a detectable anomaly, even if the destination is trusted.
• Cloud access monitoring and conditional access policies: For Microsoft 365 environments, enabling unified audit logging and actively reviewing it is non-negotiable. Microsoft’s own tooling can surface anomalous API call patterns — if someone is actually watching. Conditional access policies that restrict which devices and applications can authenticate to Microsoft 365 reduce the surface area for attacker-controlled implants to exploit the Graph API.
• DNS filtering with behavioral baselines: DNS filtering tools log every domain resolution on the network. Combined with baselines of normal behavior, they can surface endpoints contacting legitimate cloud storage services at unusual intervals, from unusual processes, or at unusual times of day.
• Identity protection and least-privilege access: Many of these compromises succeed because the hijacked account — or the attacker’s cloud account — has more permission than it needs. Enforcing least-privilege access, requiring multi-factor authentication on every cloud account, and monitoring for new OAuth application grants all reduce the attacker’s ability to establish and maintain a cloud-based command channel.
• Application control on endpoints: If only approved applications can make outbound connections, an attacker’s implant — even one communicating with OneDrive — has to live inside an approved application or find a way to inject into one. Application control is not foolproof, but it raises the cost of the intrusion substantially.
• Incident response planning built for cloud-native threats: If your incident response plan assumes attackers are using unknown domains and suspicious IP addresses, it will fail here. Your playbook needs scenarios where the malicious traffic is indistinguishable from normal business activity.

The organizations that detect these intrusions early share one common characteristic: they treat the absence of alerts as something to verify, not something to trust. No alerts does not mean no threat. It may simply mean the right questions are not being asked of the right data.

For more on how a structured approach to these controls applies in practice, see our overview of cybersecurity services for small and mid-sized businesses. You may also find value in reviewing our managed IT services to understand how ongoing monitoring fits into a complete security posture.

What to Ask Your IT Firm Right Now About Cloud Storage Security

If you work with an IT provider and want to know whether your environment is prepared, these questions will surface the answers quickly:

• “Are you monitoring which processes on our endpoints make outbound connections to cloud storage platforms like OneDrive, SharePoint, and Google Drive? What would alert you if a non-standard process started polling one of those services on a regular schedule?”
• “Is unified audit logging enabled in our Microsoft 365 tenant? Who reviews those logs, how often, and what specifically are they looking for?”
• “What multi-factor authentication policies are in place for every cloud account we use — including service accounts and shared accounts?”
• “Do we have application control or process-level outbound filtering on endpoints? If malware tried to communicate with OneDrive as part of a cloud-based intrusion, what would stop it or alert on it?”
• “Has our incident response plan been updated to address scenarios where the attacker is using legitimate platforms as infrastructure? What does detection and response look like for that specific scenario?”
• “Are we monitoring for new OAuth application grants in our Microsoft 365 or Google Workspace environment? A malicious app granted permission to read files or send email is one of the most common ways attackers maintain persistent access — and it often goes unnoticed for months.”

A competent IT firm should answer every one of these questions specifically and directly. Vague reassurances about “monitoring” without specifics on what is being monitored, at what fidelity, and by whom are not answers — they are gaps with better packaging. Firms that cannot answer these questions concretely tend to be the ones whose clients find out about a breach long after it happened.

This category of attack is instructive precisely because it does not require exotic attacker tools or zero-day exploits. It requires only that your environment cannot distinguish good cloud traffic from bad — a condition that describes the majority of small business networks today.

The organizations that close that gap are not necessarily the ones with the largest security budgets. They are the ones that have demanded specificity, logging, and accountability from the people managing their infrastructure, and that have built environments designed to surface anomalies rather than simply block known-bad indicators.

If you want a direct conversation about where your environment stands, Book a Free Cybersecurity Strategy Call. It is 20 minutes with our team — no obligation, no pressure, just answers.