A ‘potentially dangerous’ functionality in Office 365 and Microsoft 365 has been discovered that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker.
Cyber security firm Proofpoint said it focused its research on SharePoint Online and OneDrive within the 365 suites, finding that hackers can target an organisation’s data in the cloud, as well as launch attacks on cloud infrastructure.
RELATED RESOURCE
Securing endpoints amid new threats
Ensuring employees have the flexibility and security to work remotely
“Once executed, the attack encrypts the files in the compromised users’ accounts,” the Proofpoint team explained. “Just like with endpoint ransomware activity, those files can then only be retrieved with decryption keys.”
The vendor identified and laid out details of the attack chain, which it says can be automated using Microsoft APIs, command line interface (CLI) scripts and PowerShell scripts.
First, the attacker will gain access to one or more users’ SharePoint Online or OneDrive accounts by compromising or hijacking users’ identities. That enables an account takeover, providing access to any file owned by the compromised user or controlled by the third-party OAuth application, including the user’s OneDrive account.
The attacker will then reduce version limits of these files to a low number – such as 1 – and then encrypt each by more than that figure.
“This step is unique to cloud ransomware compared to the attack chain for endpoint-based ransomware,” Proofpoint noted. “In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic.”
Finally, this will then leave only the encrypted versions of the files in the account, enabling the attacker to monetise the situation and demand a ransom from the business.
To help counter this form of cloud ransomware attack, the vendor advised businesses use software that detects risky file configuration changes in Office 365 as user changes are not common behaviour. If a user makes these changes unknowingly, they should be made aware and asked to increase the version limit.
The cyber security firm also advised to improve security hygiene around ransomware, as well as ensure response and investigation measures incorporate Office 365 and Microsoft 365.
Proofpoint added that it has made the discovery known to Microsoft, but the flaw currently remains open for exploitation. In response, Microsoft said the configuration functionality for versioning settings is working as intended, while older versions of files are potentially able to be restored for an additional 14 days via Microsoft Support.
However, Proofpoint said attempts to retrieve and restore old versions using this process and “were not successful.”
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker groupNews An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attackNews A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
