Cloud and Threat Report (Netscope, January 2022)

Andy Ful

Level 79
Thread author
Top poster
Dec 23, 2014

In this sixth edition of the Cloud Threat Report, we take a look back at the top trends in cloud attacker activities and cloud data risks from 2021 compared to 2020. We examine changes in the malware landscape in 2021, highlighting that attackers are enjoying more success abusing cloud apps to deliver malware payloads to their victims. We quantify that success in terms of the increasing number of cloud apps from which we block malware downloads and the increasing share of the total malware downloads coming from cloud apps.

In addition, we take a look at a continuing trend of attackers abusing Microsoft Office document formats to deliver malware. In Q2 2020, we saw a sudden spike in malicious Office documents driven primarily by Emotet, who launched a large-scale and highly effective malspam campaign that delivered malicious Office documents using popular cloud apps. Since then, copycat groups have continued to abuse Office documents to deliver malware and the quantity of malicious documents remains high above pre-Emotet levels.

We also take a look at credential attacks against managed cloud apps which continue at the same rate as 2020, but with a shift in the sources of the attacks. The top source of credential attacks in 2020 were a few heavy hitters responsible for a large number of login attempts. In 2021, credential attacks came from a much larger number of sources, each responsible for fewer login attempts.

Finally, we take a look at a different type of data risk, insider threats. In 2021, we observed users leaving their jobs at twice the rate of 2020. Users leaving the organization pose a serious data security risk, with more than one out of every seven people using personal Cloud Storage apps to take data with them when they leave. Because Cloud Storage apps appear in leaderboards throughout this report, we finish by examining how their overall popularity among users is a primary driver for their appearance at the top of the malware download and insider threat leaderboards.​


  • Google Drive emerges as the top app for malware downloads, taking over that spot from Microsoft OneDrive, while the percentage of malware downloads from cloud apps increased from 46%, peaked at 73% and plateaued at 66%.​
  • Emotet copycats continue to abuse Microsoft Office documents, which continue to represent one-third of all malware downloads, compared to one-fifth of all malware downloads prior to Emotet.​
  • More than half of managed cloud app instances are targeted by credential attacks, while the sources of such attacks shift from a few heavyhitters to a more decentralized attack.​
  • Employee attrition leads to data exfiltration, as one of out overy seven users take data with them when they leave using personal app instances.​
  • Cloud adoption continue s to rise, with the rising popularity of Cloud Storage apps attracting abuse by both attackers (for malware delivery) and insider threats (for data exfiltration).​


Netskope provides threat and data protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization.
This report contains information about detections raised by Netskops’s Next Generation Secure Web Gateway (SWG) and API Cloud Access Security Broker (CASB). When reporting about threats, we analyze detections raised by our NG SWG when malicious content is accessed. We count the total number of detections from our platform, not considering the significance of the impact of each individual threat. When reporting on insider threats, we count the total number of downloads and uploads from our platform, not considering the content or sensitivity of each individual file.
Netskope Threat Labs Staffed by the industry’s foremost cloud threat and malware researchers, Netskope Threat Labs discovers, analyzes, and designs defenses against the latest cloud and data threats affecting enterprises. Our researchers are regular presenters and volunteers at top security conferences, including DefCon, BlackHat, and RSA.​

Full report:


One can also look at this summary article:
Last edited: