← Blog

The dropped USB stick: why curiosity is an attack vector

Tenant Strike3 min read

Leave a few USB sticks in a parking lot and a surprising number get plugged into work computers. Baiting attacks weaponize curiosity and good intentions. Here is how they work and the simple rule that stops them.

Security researchers love a particular experiment: scatter a handful of USB sticks in a company parking lot, then watch how many end up plugged into work computers. The answer, year after year, is more than you'd hope. This is baiting — an attack that doesn't trick your software at all. It tricks your curiosity and your good intentions.

How baiting works

A baiting attack leaves something tempting where a target will find it, counting on human nature to do the rest. The classic version is a USB stick dropped in a parking lot, a lobby, or a coffee shop near your office. Sometimes it's labeled to be irresistible — "Payroll," "Layoffs Q3," "Private," or "Bonus Plan." Sometimes it's left looking lost, and a kind person picks it up intending to find the owner.

Either way, the moment someone plugs it into a work computer to see what's on it, the trap can spring. The stick may carry malware that runs automatically or hides inside a tempting file. More advanced versions aren't really storage at all — they're devices disguised as USB sticks that act like a keyboard and type commands the instant they're connected, opening a door before you've clicked anything.

The same idea works digitally: a "free download," a pirated piece of software, a too-good attachment. The bait is whatever the target can't resist or feels they should investigate.

Why it gets past good people

Baiting is clever because it flips the usual attacker effort. Instead of reaching out to a victim, the attacker waits for the victim to come to them — which feels less suspicious. Picking up a lost USB stick and checking it for an owner is a helpful act. Curiosity about a stick labeled "Salaries" is deeply human. Neither feels like falling for a scam, and that's the point.

It also exploits a blind spot. People are increasingly wary of suspicious emails and links, but a physical object doesn't trigger the same alarm. A USB stick is just hardware sitting on a desk.

The rule that stops it

It fits in one sentence: never plug an unknown USB device into a work computer. Not to find the owner, not out of curiosity, not "just to check." If you find a stray drive, hand it to your IT person or simply throw it away. The contents are not worth the risk, and a lost stick is far more likely to be bait than a genuine accident.

The same caution applies to chargers and cables from untrusted sources, and to "free" promotional USB devices handed out at events — they've been used to deliver malware too.

A few habits for a small team

  1. Say the rule out loud. Most people have never been told that a found USB stick is dangerous. Once they know, they stop.
  2. Be skeptical of irresistible labels. "Confidential" and "Salaries" on a found drive are bait, not a lucky break.
  3. Stick to trusted sources for software. Download programs from the official website or app store, not from a link, a torrent, or a stranger's drive.
  4. Ask IT before connecting unfamiliar hardware to a work machine, including gifts and giveaways.

Baiting is a reminder that the attacker doesn't always have to reach you. Sometimes they just leave the door open and wait for curiosity to walk through it.

If a malicious device or download does run on a machine, the damage depends on what that machine can reach. Tenant Strike reviews your Microsoft 365 and Azure settings in read-only mode to show where a single compromised computer would spread furthest — broad access, missing multi-factor authentication, sign-ins permitted from any device. It's a five-minute check that turns an abstract risk into a concrete, fixable list.

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.