Free file host

Tactic or Technique: Free file host

Phishing attacks often use trusted file-sharing platforms like Google Drive, OneDrive, or Dropbox to deliver malicious content. Instead of attaching malware directly to an email, they send a link to a hosted file that contains a phishing page, ransomware, or another type of malicious payload.

Because these services are widely used and trusted, the links don’t always look suspicious—and many security tools allow them by default. Encrypted connections make it harder to inspect the content, and the familiar branding gives the message an added layer of credibility.

This tactic is effective because it blends in with everyday workflows. A file share link feels normal, especially if it’s framed as a contract, invoice, or shared HR document. That’s why it often gets past both technical defenses and human intuition. Without cloud-aware security controls or strong user training, it’s easy for one click to lead to compromise.

Blog Posts

Living Off the Land: Credential Phishing via Docusign abuse

Living Off the Land: Callback Phishing via Docusign comment

Abusing Discord to deliver Agent Tesla malware

Attack Types (4):

Detection Methods (11):

Optical Character Recognition

HTML analysis

Header analysis

Natural Language Understanding

URL screenshot

Whois

File analysis

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Link: Webflow Link from Unsolicited Sender	5d ago Jun 13th, 2025 UTC	Sublime Security	Callback Phishing Free file host Free subdomain host Content analysis URL analysis Sender analysis	/feeds/core/detection-rules/link-webflow-link-from-unsolicited-sender-d4f3b8cf
Link: Secure SharePoint file share from new or unusual sender	8d ago Jun 10th, 2025 UTC	Sublime Security	Credential Phishing Free file host Evasion Content analysis Sender analysis	/feeds/core/detection-rules/link-secure-sharepoint-file-share-from-new-or-unusual-sender-74ed3020
Brand Impersonation: Fake Fax	16d ago Jun 2nd, 2025 UTC	Sublime Security	Credential Phishing Impersonation: Brand Image as content Free file host Free subdomain host Social engineering Computer Vision Content analysis Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a
Service Abuse: Zoom Docs From an Unsolicited Sender Address	26d ago May 23rd, 2025 UTC	Sublime Security	Credential Phishing Social engineering Free file host Evasion HTML analysis Sender analysis Header analysis	/feeds/core/detection-rules/service-abuse-zoom-docs-from-an-unsolicited-sender-address-064b2594
Link: Direct Link to keap.app contact-us page	26d ago May 23rd, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Free file host Evasion URL analysis	/feeds/core/detection-rules/link-direct-link-to-keapapp-contact-us-page-a7a69267
Link: Multistage Landing - Scribd Document	1mo ago May 16th, 2025 UTC	Sublime Security	Credential Phishing Evasion Social engineering Impersonation: Brand Free file host URL analysis HTML analysis Natural Language Understanding Computer Vision Optical Character Recognition URL screenshot	/feeds/core/detection-rules/link-multistage-landing-scribd-document-afa9807d
Canva Design With Suspicious Embedded Link	1mo ago May 16th, 2025 UTC	Sublime Security	Credential Phishing Evasion Social engineering Free file host HTML analysis URL analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/canva-design-with-suspicious-embedded-link-02959e22
Link: Scribd Fullscreen Link From Suspicious Sender	1mo ago May 14th, 2025 UTC	Sublime Security	Credential Phishing Free file host Social engineering Evasion URL analysis Sender analysis	/feeds/core/detection-rules/link-scribd-fullscreen-link-from-suspicious-sender-9e9bc972
Link: Multistage Landing - Published Google Doc	1mo ago May 14th, 2025 UTC	Sublime Security	Credential Phishing Free file host Social engineering Natural Language Understanding URL analysis Whois	/feeds/core/detection-rules/link-multistage-landing-published-google-doc-031e1ff8
Link: Figma Design Deck With Credential Phishing Language	1mo ago May 7th, 2025 UTC	Sublime Security	Credential Phishing Evasion Free file host Social engineering Natural Language Understanding Computer Vision Optical Character Recognition URL analysis URL screenshot Sender analysis	/feeds/core/detection-rules/link-figma-design-deck-with-credential-phishing-language-87601924
Brand impersonation: Microsoft with low reputation links	1mo ago May 7th, 2025 UTC	Sublime Security	Credential Phishing Free file host Image as content Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6
Link: Multistage Landing - Abused Google Drive	1mo ago May 5th, 2025 UTC	Sublime Security	Credential Phishing Evasion Free email provider Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-google-drive-c86288b4
Issuu Document With Suspicious Embedded Link	1mo ago May 5th, 2025 UTC	Sublime Security	Credential Phishing Social engineering Free file host Evasion URL analysis URL screenshot Natural Language Understanding Optical Character Recognition	/feeds/core/detection-rules/issuu-document-with-suspicious-embedded-link-0d73f43d
Link: Direct Link to gamma.app Presentation in Present Mode	1mo ago Apr 30th, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Free file host Evasion URL analysis	/feeds/core/detection-rules/link-direct-link-to-gammaapp-presentation-in-present-mode-080ab581
Service Abuse: HelloSign From an Unsolicited Sender Address	1mo ago Apr 30th, 2025 UTC	Sublime Security	Credential Phishing Social engineering Free file host Evasion HTML analysis Sender analysis Header analysis	/feeds/core/detection-rules/service-abuse-hellosign-from-an-unsolicited-sender-address-68ca0753
Service Abuse: SurveyMonkey Survey From Newly Registered Domain	2mo ago Apr 18th, 2025 UTC	Sublime Security	Credential Phishing Evasion Free file host Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/service-abuse-surveymonkey-survey-from-newly-registered-domain-50a85fa7
Service Abuse: Google Account Notification with Links to Free File Host	2mo ago Apr 16th, 2025 UTC	Sublime Security	Credential Phishing Impersonation: Brand Social engineering Free file host Header analysis URL analysis Sender analysis	/feeds/core/detection-rules/service-abuse-google-account-notification-with-links-to-free-file-host-59786115
Service Abuse: Google Drive Share From an Unsolicited Reply-To Address	2mo ago Apr 11th, 2025 UTC	Sublime Security	BEC/Fraud Callback Phishing Credential Phishing Free email provider Social engineering Free file host Header analysis Sender analysis	/feeds/core/detection-rules/service-abuse-google-drive-share-from-an-unsolicited-reply-to-address-4581ec0c
Suspicious SharePoint File Sharing	2mo ago Apr 11th, 2025 UTC	Sublime Security	Credential Phishing Free email provider Free file host OneNote PDF Content analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/suspicious-sharepoint-file-sharing-971c3d9c
Link: Multistage Landing - Abused Docusign	2mo ago Apr 11th, 2025 UTC	Sublime Security	Credential Phishing Evasion Free subdomain host Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-docusign-4189a645