Security researchers at Proofpoint have analyzed a “dangerous piece of functionality” that could potentially enable unauthorized access to files stored on SharePoint and OneDrive.
More specifically, the flaw would allow ransomware to encrypt files stored on the cloud apps via the Microsoft 365 AutoSave feature in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker.
“Our research focused on two of the most popular enterprise cloud apps - SharePoint Online and OneDrive within the Microsoft 365 and Office 365 suites and shows that ransomware actors can now target organizations’ data in the cloud and launch attacks on cloud infrastructure,” Proofpoint wrote in an advisory.
In terms of how the exploit would work, the security researchers said the first step would be to gain access to SharePoint Online or OneDrive accounts by compromising or hijacking users’ identities.
According to Proofpoint, the three most common ways to obtain the initial foothold involved breaching the account via brute-force attacks or phishing, tricking a user into authorizing a rogue third-party OAuth application or taking over the web session of a logged-in user.
After that, an attacker would have access to any file owned by the compromised user or controlled by the third-party OAuth application (including the user’s OneDrive account), so they could progress to encrypt them.
In order to do so successfully, Proofpoint said malicious actors would reduce the versioning limit of files to a low number (ideally 1) and then encrypt them more times than the versioning limit (so that no previous, unencrypted versions could be accessed).
“In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic,” read the advisory.
Proofpoint also listed a series of best practices aimed at mitigating the impact of these malicious attempts.
These include enforcing a strong password policy, increasing multi-factor authentication (MFA) usage and establishing a least-privileges, principles-based access policy across cloud apps.
The news comes amid a recent increase in cloud threats, as described by Netskope’s cyber intelligence principal Paolo Passeri.