Attackers could use Office 365 functionality to encrypt files on SharePoint and OneDrive

Proofpoint’s security researchers have discovered a potentially dangerous functionality in Office 365 that could allow unauthorized access to data stored on SharePoint and OneDrive.

 

The flaw allows ransomware to encrypt files stored on cloud apps using the Microsoft 365 AutoSave feature, rendering them unrecoverable without the attacker’s dedicated backups or a decryption key.

 

The researchers focused on the most popular enterprise cloud apps, SharePoint Online and OneDrive, within the Office 365 suites. They found that ransomware actors can target organizational data in the cloud and launch attacks on cloud infrastructure.

 

According to the security researchers, the first step would be to compromise or hijack users’ identities to gain access to SharePoint Online or OneDrive accounts.

 

According to Proofpoint, the three most common methods for gaining an initial foothold were brute-force attacks or phishing, duping a user into authorizing a rogue third-party OAuth application or hijacking a logged-in user’s web session.

 

An attacker would then have access to any file owned by the compromised user or controlled by the third-party OAuth application, including the user’s OneDrive account, allowing them to encrypt it.

 

Malicious actors, according to Proofpoint, would reduce the versioning limit of files to a low number (ideally 1) and then encrypt them more times than the versioning limit, preventing access to previous, unencrypted versions. The attacker may exfiltrate the unencrypted files as part of a double extortion scheme.

 

Proofpoint also provided a list of best practices for reducing the impact of these malicious attempts. Enforcing a strong password policy, increasing the use of multi-factor authentication (MFA), and implementing a least-privileges, principles-based access policy across cloud apps are just a few.