The technology disclosed includes a system and method for preventing phishing attacks caused by sharing documents with malicious content over a network, where the shared document may include links that redirect users to a malicious websites. The cloud-based method applies a set of rules and policies to allow the shared document or block the shared document from the network, based on identifying the ownership or originator of the shared document. Blocked documents are quarantined, analyzed for threats, and subjected to sandbox methods to determine malicious content that may compromise corporate data. If analysis proves the blocked document to be safe, it may be released into the network along with subsequent documents having the same ownership or originator. The technology disclosed is particularly useful where a malicious attacker creates a malicious file in a cloud-based store such a Google Drive and shares it with endpoint users. When users open the shared document, they are redirected to a malicious website where a corporation's critical data may be compromised.