Netskope Threat Research: Malware-Delivering Cloud Apps Nearly Tripled in 2022

401 distinct cloud apps shown to deliver malware; Microsoft OneDrive delivered 30% of all cloud malware downloads

SANTA CLARA, Calif. – January 10, 2023 – Netskope, a leader in Secure Access Service Edge (SASE), today unveiled new research showing that over 400 distinct cloud applications delivered malware in 2022, nearly triple the amount seen in the prior year. Netskope researchers also found that 30% of all cloud malware downloads in 2022 originated from Microsoft OneDrive.

Cloud apps are widely used by businesses, a fact not lost on attackers, which view these apps as an ideal home for hosting malware and causing harm. The Cloud & Threat Report from Netskope Threat Labs examines how these cloud security trends are shifting and advises organizations on how to improve their security posture based on those shifts.

“Attackers are increasingly abusing business-critical cloud apps to deliver malware by bypassing inadequate security controls,” said Ray Canzanese, Threat Research Director, Netskope Threat Labs. “That is why it is imperative that more organizations inspect all HTTP and HTTPS traffic, including traffic for popular cloud apps, both company and personal instances, for malicious content.”

Rise in Uploads to Cloud Apps Means Rise in Malware-Delivered Downloads

The most significant change in cloud application use in 2022, compared to 2021, was the marked increase in the percentage of users uploading content to the cloud. According to Netskope data, over 25% of users worldwide uploaded documents daily to Microsoft OneDrive, while 7% did so for Google Gmail and 5% for Microsoft Sharepoint. The drastic increase in active cloud users across a record number of cloud applications led to a sizable increase in cloud malware downloads in 2022 from 2021, after remaining close to flat in 2021 compared to 2020.

The correlation between uploads and downloads among the most popular apps is no coincidence. Nearly a third of all cloud malware downloads originated from Microsoft OneDrive, with Weebly and GitHub coming in the next closest among cloud apps at 8.6% and 7.6%, respectively.

Cloud-Delivered Malware Is Increasingly More Prevalent Than Web-Delivered Malware

Industries have increased their reliance on cloud applications and cloud infrastructure to support business operations over the last several years—a trend further accelerated by the COVID-19 pandemic and a worldwide shift toward hybrid work. As a result, cloud-delivered malware is now responsible for a much higher percentage of all malware delivery than ever before, especially in certain geographic regions and industries.

In 2022, several geographic regions saw significant increases in the overall percentage of cloud vs. web-delivered malware compared to 2021, including:

• Australia (50% in 2022 compared to 40% in 2021)
• Europe (42% in 2022 compared to 31% in 2021)
• Africa (42% in 2022 compared to 35% in 2021)
• Asia (45% in 2022 compared to 39% in 2021)

In certain industries, cloud-delivered malware also became more predominant globally, especially:

• Telecom (81% in 2022 compared to 59% in 2021)
• Manufacturing (36% in 2022 compared to 17% in 2021)
• Retail (57% in 2022 compared to 47% in 2021)
• Healthcare (54% in 2022 compared to 39% in 2021)

Cyber Preparedness: The Remote Workforce is Here to Stay

Companies have made considerable adjustments to enable remote and hybrid workplaces to flourish. While some industries sought to bring employees back to the office on a more frequent basis in 2022, remote work options appear to remain largely in place. According to Netskope data, user dispersion—the ratio of the number of users on the Netskope platform to the number of network locations from which those users’ traffic originates—is 66%, the same percentage it was at the start of the pandemic over two years ago.

Remote and hybrid work dynamics continue to pose multiple cybersecurity challenges, including how to securely provide users access to the company resources they need to do their jobs and how to scalably and securely provide users access to the internet.

Netskope recommends organizations take the following actions to avoid increased risk of security incidents stemming from cloud- and web-delivered malware:

• Enforce granular policy controls to limit data flow, including flow to and from apps, between company and personal instances, among users, to and from the web, adapting the policies based on device, location, and risk.
• Deploy multi-layered, inline threat protection for all cloud and web traffic to block inbound malware and outbound malware communications.
• Enable multi-factor authentication for unmanaged enterprise apps.

Get the full Netskope Cloud and Threat Report: 2022 Year in Review here.

For more information on cloud-enabled threats and our latest findings from Netskope Threat Labs, visit Netskope’s Threat Research Hub.

Über Netskope

Netskope, a global SASE leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.