Threat actors are actively targeting cloud file-sharing platforms such as ShareFile, Nextcloud, and OwnCloud, exploiting these services to steal corporate data and then offer it for sale. These attacks demonstrate how collaboration infrastructure — trusted by organisations — can become a lucrative target for data theft.
This trend underscores the need for strong identity, access governance, and secure file-sharing practices as part of a broader IAM strategy.
Table of Content
Why Cloud File-Sharing Attacks Are a New Front in Identity Risk
Cloud file-sharing services have become central to how organisations store, share, and collaborate on critical documents. However, these trusted services are now under attack by threat actors like Zestix, who have been observed targeting instances of ShareFile, Nextcloud, and OwnCloud to steal corporate data and offer it for sale.
Unlike breaches of perimeter infrastructure, these attacks exploit trusted access into collaboration platforms — often by leveraging compromised credentials, weak access policies, or misconfigurations — to exfiltrate sensitive corporate information. Once inside, attackers can harvest customer records, intellectual property, or internal files without triggering traditional security alerts.
Cloud Sharing: A Hidden Identity Risk
Many organisations assume cloud file-sharing platforms are secure by default, but attackers are turning that trust against them:
- Compromised credentials can grant access to all shared resources
- Weak or absent MFA exposes users to credential abuse
- Excessive permissions allow attackers to move laterally across documents
In these environments, identity becomes the control point — the very thing attackers aim to compromise to steal data. Defence requires more than firewalls: it demands identity-centric controls that govern who can access what, when, and under what conditions.
IAM Must Guard Data Collaboration Platforms
To reduce these risks, organisations should consider:
- Enforcement of Zero Trust access policies
- Adaptive authentication based on user and device risk
- Comprehensive auditing of shared content permissions
- Strong MFA and credential hardening
- Continuous monitoring of file-sharing activity
Identity and access controls must extend beyond login to protect the behaviour that follows, ensuring attackers cannot misuse authorized access to steal data.
Trevonix Perspective
At Trevonix, we see these incidents as part of a critical evolution in cyber risk: attackers are weaponising identity and trusted services to bypass traditional defences and exfiltrate data. Protecting systems today means defending identity itself — embedding adaptive access controls, continuous risk assessment, and robust IAM frameworks across every user journey and data interaction.
In a world where cloud collaboration and federated identity are ubiquitous, organisations must shift from static authentication to dynamic, contextual trust models that prevent credential abuse, detect anomalies early, and protect sensitive resources even when attackers penetrate infrastructure.
Identity security is no longer a subset of IT — it’s a core strategic priority for resilient digital operations.
