Proofpoint identifies Microsoft 365 functionality that opens new cloud-based attack vectors


Posts: 118   +8
Why it matters: Cybersecurity firm Proofpoint recently released vulnerability findings related to two popular enterprise cloud applications, SharePoint Online and OneDrive. The firm's findings explained how bad actors can leverage basic functionality in the applications to encrypt and hold a user's files and data for ransom. The vulnerability presents hackers with another avenue to attack cloud-based data and infrastructure.

The exploit relies on a four-step attack chain that begins with a specific user's identity being compromised. The malicious actor uses the individual's credentials to access a user's SharePoint or OneDrive accounts, change versioning settings, and then encrypts the files multiple times, leaving no unencrypted version of the compromised files. Once encrypted, the files can only be accessed using the right decryption keys.

User accounts can be compromised by brute force or phishing attacks, improper authorization via third party OAuth apps, or hijacked user sessions. Once compromised, any action to exploit the vulnerability can be scripted to run automatically via application program interfaces (APIs), Windows PowerShell, or through the command line interface (CLI).

Versioning is a function in SharePoint and OneDrive that creates a historic record for each file, logging any document changes and the user(s) who made those changes. Users with appropriate permissions can then view, delete, or even restore earlier versions of the document. The number of versions kept is determined by the versioning settings in the application. Version settings do not require administrator-level permissions and can be accessed by any site owner or user with proper permissions.

Changing the number of document versions retained is key to this exploit. The malicious actor configures the versioning settings to keep the desired number of versions per file. The files are then encrypted more times than the number of versions retained, leaving no recoverable backed up versions.

For example, setting the document versioning to one and then encrypting the file twice would result in the master copy and single retained version both being encrypted. At this point the ransomed files must be decrypted using the corresponding decryption key or remain unrecovered.

Encryption is not the only way the versioning setting can be exploited. The hacker may opt to keep a copy of the original document and then proceed to make a number of changes to the document that exceeds the number of versions being kept. For example, if the versioning is set to retain the last 200 copies, the actor can make 201 changes. This would ensure that the master copy in SharePoint or OneDrive and all retained backups have been altered while holding the original copy for ransom.

Proofpoint's blog provides several recommendations to help protect you and your organization from this type of attack. These recommendations, some of which rely on Proofpoint's suite of cybersecurity products, focus on early detection of high-risk configurations and behaviors, enhanced access management, and ensuring sufficient backup and recovery policies are in place.

Image credit: Ransomware attack process from Proofpoint

Permalink to story.


Uncle Al

Posts: 9,113   +8,150
Once again MicroSludge has outdone itself ..... wouldn't it be nice if somebody made an application that could be loaded at boot up that would avoid Microsoft products all together?!?!?!


Posts: 1,150   +1,353
Death penalty for haxors when caught!

2FA will stop most of this dead. Cloud storage is a huge risk, it should only be used for backup.


Posts: 972   +1,424
Yet another reason to avoid Onedrive.

For me, Dropbox's superior product was enough.
Unless you read the actual article, that is. Dropbox will not protect your files either if your account is compromised. Which is the 1st step in the attack outlined above.

OTOH Dropbox costs more and offers less, so enjoy your subpar choice.


Posts: 972   +1,424
Cloud storage is for suckers.
... and sensible people who know how to protect their accounts. The security of cloud storage is orders of magnitude better than that of your home NAS. The mere thought that you can provide better confidentiality, integrity and availability than OneDrive, with ISO 9001/27001/22301 and NIST SP 800-171 certifications, amongst others, it just ridiculous.