IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive

Functionality allows ransomware to encrypt files stored on SharePoint and OneDrive to make them potentially unrecoverable, vendor says

A close up photo of a smartphone screen with a shortcut for the OneDrive app displayed

A ‘potentially dangerous’ functionality in Office 365 and Microsoft 365 has been discovered that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker. 

Cyber security firm Proofpoint said it focused its research on SharePoint Online and OneDrive within the 365 suites, finding that hackers can target an organisation’s data in the cloud, as well as launch attacks on cloud infrastructure.

Related Resource

Securing endpoints amid new threats

Ensuring employees have the flexibility and security to work remotely

Whitepaper cover with image of female employee working at home on laptopFree Download

“Once executed, the attack encrypts the files in the compromised users’ accounts,” the Proofpoint team explained. “Just like with endpoint ransomware activity, those files can then only be retrieved with decryption keys.”

The vendor identified and laid out details of the attack chain, which it says can be automated using Microsoft APIs, command line interface (CLI) scripts and PowerShell scripts.

First, the attacker will gain access to one or more users’ SharePoint Online or OneDrive accounts by compromising or hijacking users’ identities. That enables an account takeover, providing access to any file owned by the compromised user or controlled by the third-party OAuth application, including the user’s OneDrive account.

The attacker will then reduce version limits of these files to a low number – such as 1 – and then encrypt each by more than that figure.

“This step is unique to cloud ransomware compared to the attack chain for endpoint-based ransomware,” Proofpoint noted. “In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic.”

Finally, this will then leave only the encrypted versions of the files in the account, enabling the attacker to monetise the situation and demand a ransom from the business.

To help counter this form of cloud ransomware attack, the vendor advised businesses use software that detects risky file configuration changes in Office 365 as user changes are not common behaviour. If a user makes these changes unknowingly, they should be made aware and asked to increase the version limit.

The cyber security firm also advised to improve security hygiene around ransomware, as well as ensure response and investigation measures incorporate Office 365 and Microsoft 365.

Proofpoint added that it has made the discovery known to Microsoft, but the flaw currently remains open for exploitation. In response, Microsoft said the configuration functionality for versioning settings is working as intended, while older versions of files are potentially able to be restored for an additional 14 days via Microsoft Support.

However, Proofpoint said attempts to retrieve and restore old versions using this process and “were not successful.”

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads
Microsoft Windows

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads

20 Jun 2022
IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated
Business strategy

IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated

17 Jun 2022
Microsoft silent patches called “a grossly irresponsible policy”
cyber security

Microsoft silent patches called “a grossly irresponsible policy”

15 Jun 2022
Microsoft overhauls staff contracts, abandons 'non-compete clauses' to comply with state laws
Business strategy

Microsoft overhauls staff contracts, abandons 'non-compete clauses' to comply with state laws

9 Jun 2022

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022