Cyberattacks on Cloud Collaboration Tools See Major Surge

The COVID-19 pandemic and the resulting government-mandated home quarantine have pushed many organizations to adopt cloud collaboration tools to accommodate employees working from home.

With the adoption surge, cyberattacks on cloud collaboration tools also see major increase.

What Is Cloud Collaboration Tool?

Microsoft’s Office 365 is an example of a cloud collaboration tool. Office 365 allows users working in different geographical locations to work as a team, sharing files and attending meetings via chat or via videoconferencing.

Slack is another example of a cloud collaboration tool. In addition to sharing files, Slack allows users easy conversation among groups or among certain members of a group.

Cloud Collaboration Tools Adoption

Cloud collaboration tools such as Office 365 and Slack have been around for years. The COVID-19 pandemic has hastened the adoption process of these cloud collaboration tools.

In the “Cloud Adoption and Risk Report: Work from Home Edition“, McAfee reported that cloud adoption, particularly the use of cloud collaboration tools surged in the first four months of this year, from January to April of this year. Basing its data from more than 30 million McAfee software users, the report highlighted that across all industries, overall cloud adoption increased by 50% from January to April 2020. Adoption of cloud collaboration tools, the report showed jumped with Cisco Webex leading the way with 600% increase, followed by Zoom (+350%), Microsoft Teams (+300%), and Slack (+200%).

Cyberattacks on Cloud Collaboration Tools

McAfee’s “Cloud Adoption and Risk Report: Work from Home Edition” revealed that external actors did most of the cyberattacks on cloud services, mostly on collaboration tools for the period of January to April 2020.

The report found that the number of cyberattacks from external actors alone targeting cloud services increased by 630%, affecting mostly collaboration tools. The McAfee report showed that the transportation and logistics industry experienced the highest increase of cloud cyberattacks (from combined internal and external actors) with a 1,350% increase, followed by education (+1,114%), government (+773%), manufacturing (+679%), financial services (+571%), and energy and utilities (+472%).

McAfee identified these external cyberattackers in two categories: excessive usage from anomalous location and suspicious superhuman. Excessive usage from anomalous location refers to a login attempt from a location that hasn’t been detected and this login attempt is coupled with high-volume access and/or privileged access activity.

Suspicious superhuman, meanwhile, refers to login attempts from more than one geographical location in which travel is impossible within a given timeframe. A login attempt on Office 365 in Singapore and five minutes later, a login attempt by the same user on a Slack account in the U.S. was cited in the report as suspicious superhuman.

Many of the cyberattacks on cloud collaboration tools, McAfee said, were conducted via “spraying” attacks – a type of cyberattack that targets accounts protected only by single-factor authentication, that is, protected only through username and password combination.

In spraying attacks, attackers use the trial and error method in guessing the correct username and password combination. Spraying attacks rely on the habit of users of reusing usernames and passwords in multiple online accounts, including cloud collaboration accounts.

A study conducted by TeleSign showed that 73% of online accounts use duplicate passwords. Databases of billions of past stolen usernames and passwords are also freely available online, making spraying attacks a successful strategy for many attackers.

“Users are notorious for reusing passwords, and this behavior poses grave risks to an organization using single-factor authentication,” SANS Software Security Institute said in the paper “Bye Bye Passwords: New Ways to Authenticate”. “This behavior is true not only between password resets but also between different sites and organizations. Even with good, strong no-reuse policies, you are still fighting against other third parties where users may have reused their passwords. Thus, if your users are reusing passwords, their security becomes your security.”

How to Protect Cloud Collaboration Tool Accounts from Spraying Attacks

Here are some of the best practices in protecting cloud collaboration tool accounts from spraying attacks:

  1. Use VPN

VPN, short for virtual private network, is one of the ways to protect cloud collaboration tool accounts. VPN is an added layer of protection for the existing single-factor authentication or multi-factor authentication. Office 365 and Slack as well as other cloud collaboration tools allow VPN integration.

McAfee’s “Cloud Adoption and Risk Report: Work from Home Edition” found that even as many organizations have integrated VPN for secure access to cloud collaboration tool accounts, many employees cut corners by using only the traditional authentication method: username and password. “In reality, employees will do whatever is easiest and fastest,” McAfee said. “They will turn off their VPN and access applications in the cloud directly.”

  1. Use Multi-Factor Authentication

Multi-factor authentication is the upgraded version of single-factor authentication, that is, in addition to the traditional single-factor authentication of requiring only a username and password combination, in multi-factor authentication, an additional proof of identification is required, for instance, in the form of a One-Time Passcode (OTP) given by an authenticator app or a “push” from the authenticating service.

Multi-factor authentication stops spraying attacks as knowledge of the correct username and password combination isn’t enough to gain access to a cloud collaboration tool account. This additional method of authentication is also an extra security measure for employees who refuse or neglect to use VPN in accessing cloud collaboration tool accounts.

Multi-factor authentication, however, isn’t perfect. It has its own flaws, allowing some to bypass this security measure. This security measure shouldn’t, therefore, be used as a standalone cyber defense.

Our experts will help your employees protect sensitive information and your Cloud applications by designing and implementing tights controls as well as proactive monitoring and on-going IT support. Call us today at (416) 920-3000 for a free assessment or email

Leave a Reply

Your email address will not be published. Required fields are marked *