IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive

Functionality allows ransomware to encrypt files stored on SharePoint and OneDrive to make them potentially unrecoverable, vendor says

A close up photo of a smartphone screen with a shortcut for the OneDrive app displayed

A ‘potentially dangerous’ functionality in Office 365 and Microsoft 365 has been discovered that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker. 

Cyber security firm Proofpoint said it focused its research on SharePoint Online and OneDrive within the 365 suites, finding that hackers can target an organisation’s data in the cloud, as well as launch attacks on cloud infrastructure.

Related Resource

Securing endpoints amid new threats

Ensuring employees have the flexibility and security to work remotely

Whitepaper cover with image of female employee working at home on laptopFree Download

“Once executed, the attack encrypts the files in the compromised users’ accounts,” the Proofpoint team explained. “Just like with endpoint ransomware activity, those files can then only be retrieved with decryption keys.”

The vendor identified and laid out details of the attack chain, which it says can be automated using Microsoft APIs, command line interface (CLI) scripts and PowerShell scripts.

First, the attacker will gain access to one or more users’ SharePoint Online or OneDrive accounts by compromising or hijacking users’ identities. That enables an account takeover, providing access to any file owned by the compromised user or controlled by the third-party OAuth application, including the user’s OneDrive account.

The attacker will then reduce version limits of these files to a low number – such as 1 – and then encrypt each by more than that figure.

“This step is unique to cloud ransomware compared to the attack chain for endpoint-based ransomware,” Proofpoint noted. “In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic.”

Finally, this will then leave only the encrypted versions of the files in the account, enabling the attacker to monetise the situation and demand a ransom from the business.

To help counter this form of cloud ransomware attack, the vendor advised businesses use software that detects risky file configuration changes in Office 365 as user changes are not common behaviour. If a user makes these changes unknowingly, they should be made aware and asked to increase the version limit.

The cyber security firm also advised to improve security hygiene around ransomware, as well as ensure response and investigation measures incorporate Office 365 and Microsoft 365.

Proofpoint added that it has made the discovery known to Microsoft, but the flaw currently remains open for exploitation. In response, Microsoft said the configuration functionality for versioning settings is working as intended, while older versions of files are potentially able to be restored for an additional 14 days via Microsoft Support.

However, Proofpoint said attempts to retrieve and restore old versions using this process and “were not successful.”

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Microsoft reveals price decreases for Teams Rooms, new free tier
Business operations

Microsoft reveals price decreases for Teams Rooms, new free tier

18 Aug 2022
Microsoft blocking Tutanota users from Teams registration, claims fix unfeasible
Business operations

Microsoft blocking Tutanota users from Teams registration, claims fix unfeasible

8 Aug 2022
Ransomware now strikes one in 40 organisations per week, Check Point finds
ransomware

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Microsoft wins five-year digital transformation deal with Australia’s largest telco
digital transformation

Microsoft wins five-year digital transformation deal with Australia’s largest telco

26 Jul 2022

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
UK water supplier confirms hack by Cl0p ransomware gang
ransomware

UK water supplier confirms hack by Cl0p ransomware gang

16 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022