Newly Discovered Office 365 Flaw Potentially Dangerous

Share post:

Security firm Proofpoint has detected a “potentially dangerous piece of functionality” in Microsoft Office 365 that enables ransomware to encrypt files stored on SharePoint and OneDrive and makes them unrecoverable without backups or a decryption key from the hacker.

Ransomware attacks typically target data across endpoints or network drives.

SharePoint and OneDrive are two of the most ubiquitous enterprise cloud apps. The attacker encrypts the files in the compromised users’ accounts. Just like any endpoint ransomware activity, encrypted files can only be recovered with decryption keys.

Proofpoint breaks down how the attack begins and progresses.

  1. Initial Access: Gain access to SharePoint Online or OneDrive accounts by compromising or hijacking users’ identities.
  2. Account Takeover & Discovery: The attacker now has access to any file owned by the compromised user or controlled by the third-party OAuth application.
  3. Collection & Exfiltration: Reduce versioning limit of files to a low number to keep it easy. Encrypt the file more times than the versioning limit. This step is unique to cloud ransomware compared to the attack chain for endpoint-based ransomware. 
  4. Monetization: Now all original (pre-attacker) versions of the files are lost, leaving only the encrypted versions of each file in the cloud account. At this point, the attacker can ask for a ransom from the organization.

Proofpoint also identified three most common paths hackers take to obtain access to one or more users’ SharePoint Online or OneDrive accounts. These are:

  1. Account compromise: Directly compromising the users’ credentials to their cloud account(s) via phishing, brute force attacks, and other methods
  2. Third-party OAuth applications: Tricking a user to authorize third-party OAuth apps with application scopes for SharePoint or OneDrive access
  3. Hijacked sessions: Hijacking the web session of a logged-in user or hijacking a live API token for SharePoint Online and/or OneDrive

Finally, Proofpoint urges users to shore up their Office 365 accounts by improving security hygiene around ransomware and updating disaster recovery and data backup policies to minimize losses incurred in a ransomware attack.

For more information, read the original story in Techrepublic.


Related articles

London hospitals cancel over 800 operations after ransomware attack

NHS England disclosed today that a recent ransomware attack on Synnovis has led to the cancellation of hundreds...

Microsoft cancels universal Recall release in favor of Windows Insider preview

Microsoft has decided to cancel the wide release of Recall, the controversial tool for Copilot+ PCs, and instead...

Cyber Security Today, Week in Review for week ending Friday, June 14, 2024

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, June 14th,...

Cyber Security Today, June 14, 2024 – Employee downloaded a file that led to hospital chain’s ransomware attack

An employee downloaded a file that led to hospital chain's ransomware attack Welcome to Cyber Security Today. It's Friday...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways