Microsoft SharePoint and OneDrive potentially vulnerable to ransomware

Proofpoint IT security researchers have identified a potentially dangerous feature in Microsoft 365 that allows ransomware to encrypt files stored on SharePoint Online and OneDrive in a way that makes them unrecoverable without special backups or decryption by the blackmailer.

Ransomware attacks usually target data on end devices or network drives. Until now, most IT and security teams have believed that cloud storage is better protected against ransomware attacks. After all, the now-familiar “save automatically” feature, along with the version history and good old-fashioned recycle bin for files should suffice as a backup. According to the findings of the Proofpoint experts, this is a false assumption.

How is that possible?

The Proofpoint team has identified and documented the steps that result in the files in the attacked users’ accounts being encrypted. As with usual ransomware attacks, once infected, these files can only be recovered with the appropriate keys held by the extortionist.

The following actions can be automated using Microsoft APIs, Command Line Interface (CLI), and PowerShell scripts:

  1. Initial access: For example, cybercriminals use phishing to gain access to one or more users’ SharePoint Online or OneDrive accounts by compromising or hijacking the user’s identities.
  2. Account takeover and access: The attackers now have access to all files owned by the compromised user or controlled by the third-party OAuth application (which would also include the user’s OneDrive account).
  3. Collection & Exfiltration: The cyber criminals set the version limit of files to a low number, e.g. B. 1, for the sake of simplicity. You encrypt the file more times than the version limit, in this case twice. This step is different for cloud ransomware than for endpoint/device ransomware attacks. In some cases, the attackers can extract the unencrypted files, thus performing a double extortion tactic.
  4. Monetization: Now all the original (pre-attack) versions of the files are lost, leaving only the encrypted versions of each file in the cloud account. At this point, the attackers can demand a ransom from the organization.
See also  best tricks to use APK 19.10.0

Microsoft’s reaction

Prior to the disclosure of the vulnerability, Proofpoint reported it to Microsoft and received the following responses.

  • The configuration function for version settings works as intended.
  • Older file versions can potentially be restored for 14 days with the help of Microsoft support.

However, Proofpoint experts have attempted to retrieve and restore old versions this way (ie, with the help of Microsoft Support) and have been unsuccessful. The security researchers have also shown that the configuration workflow of the version settings, even if it works as intended, can be abused by attackers for cloud ransomware attacks.


Fortunately, many of the same recommendations that apply to protecting against endpoint ransomware also apply to protecting cloud environments.

Organizations should first enable detection of risky file configuration changes for Microsoft 365 accounts with a solution like Proofpoint CASB. While a user can inadvertently change the setting, this is comparatively rare. If users have unknowingly changed the setting, they should be made aware of it and asked to increase the version limit. This reduces the risk of an attacker compromising users and exploiting the already low version limits to blackmail the company.

Other ransomware defense improvements

  • People at high risk: Organizations should identify the users who most often face dangerous cloud, email, and web attacks and prioritize their protection. These users do not necessarily belong to the group of people who are usually considered high-value targets, such as executives and privileged users.
  • Access Management: Organizations should maintain strong password policies and apply multi-factor authentication (MFA) and a principles-based least privilege access policy to all cloud applications.
  • Disaster Recovery and Data Backup: Disaster recovery and data protection policies must be kept up to date to reduce losses in the event of ransomware. Ideally, organizations regularly perform off-site backups of cloud files containing sensitive data. Don’t rely solely on Microsoft for versioning backups of document libraries.
  • Cloud security: Organizations should employ appropriate tools to detect and respond to account compromise and third-party application abuse.
  • Protection against data loss: Downloading of sensitive data and large amounts of data to unmanaged devices should be prevented to reduce the potential for duplicate blackmail tactics in ransomware attacks.
See also  After SpaceX's launch was delayed, Musk says reform is needed for humanity to become a "space civilization."



Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

On Key

Related Posts