Security researchers say threat actors could exploit a bug in Microsoft Office 365 and manipulate functionality to target OneDrive and SharePoint content. Specifically, ransomware attacks could be targeted against users.
Researchers with Proofpoint say the issue stems from an incorrect belief that SharePoint/OneDrive files stored through “auto-save” and backed up in the cloud are automatically protected from ransomware. However, this is not true in many instances, leaving files potentially vulnerable.
“Proofpoint has discovered a potentially dangerous piece of functionality in Office 365 or Microsoft 365 that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker,” claim the researchers.
Attacks begin with an attempt to breach the account credentials of an Office 365 customer. If successful, the threat actor is able to take over the account, breach data, and initiate the ransomware.
Proofpoint says it is bringing this to the attention of users so they know that the “auto-save” feature does not help to prevent ransomware attacks. At least not as much as first thought. Any precautions in place within auto-save and cloud backups can be overcome by attackers changing versioning limits.
Essentially, the threat actor can encrypt all known versions of a file, even those backed up.
“Most OneDrive accounts have a default version limit of 500 [version backups]. An attacker could edit files within a document library 501 times. Now, the original (pre-attacker) version of each file is 501 versions old, and therefore no longer restorable,” researchers wrote.
“Encrypt the file(s) after each of the 501 edits. Now all 500 restorable versions are encrypted. Organizations cannot independently restore the original (pre-attacker) version of the files even if they attempt to increase version limits beyond the number of versions edited by the attacker. In this case, even if the version limit was increased to 501 or more, the file(s) saved 501 versions or older cannot be restored.”
In response, Microsoft says the “configuration functionality for versioning settings within lists is working as intended,” according to Proofpoint. In a statement to the researcher, Microsoft also says “older versions of files can be potentially recovered and restored for an additional 14 days with the assistance of Microsoft Support.”
Proofpoint disagrees and says it tried to retrieve and restore older versions with Microsoft Support, but could not do so. To protect Office 365, the security researcher says users should beef up security around their accounts with strong passwords, multi-factor authentication, and external backups.
Tip of the day: Use a password manager to always have strong passwords and to keep them securely in a single place.