Sunday, April 27, 2025
HomeCyber Security NewsNew SharePoint Technique Lets Hackers Bypass Security Measures

New SharePoint Technique Lets Hackers Bypass Security Measures

Published on

SIEM as a Service

Follow Us on Google News

Two new techniques uncovered in SharePoint enable malicious actors to bypass traditional security measures and exfiltrate sensitive data without triggering standard detection mechanisms.

Illicit file downloads can be disguised as harmless activities, making it difficult for cybersecurity defenses to detect them. To accomplish this, the system’s features are manipulated in various ways.

Security researchers from Varonis Threat Labs discovered two SharePoint techniques.

- Advertisement - Google News

Open-in-App Method

The first technique dubbed the “Open in App Method,” takes advantage of the SharePoint feature, which allows users to open documents directly in their associated applications.

While this feature is designed for user convenience, it has inadvertently created a loophole for data breaches.

Attackers can use this feature’s underlying code to access and download files, leaving behind only an access event in the file’s audit log.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

This subtle footprint can easily be overlooked, as it does not resemble a typical download event.

The exploitation of this method can be carried out manually or automated through a PowerShell script.

When automated, the script can rapidly exfiltrate many files, significantly amplifying the potential damage.

The script leverages the SharePoint client object model (CSOM) to fetch files from the cloud and save them to a local computer, avoiding creating a download log entry.

SkyDriveSync User-Agent

The second technique involves the manipulation of the User-Agent string for Microsoft SkyDriveSync, now known as OneDrive, Varonis said.

By masquerading as the sync client, attackers can download files or even entire SharePoint sites.

These downloads are mislabeled as file synchronization events rather than actual downloads, thus slipping past security measures that are designed to detect and log file downloads.

This method is particularly insidious because it can be used to exfiltrate data on a massive scale, and the sync disguise makes it even harder for security tools to distinguish between legitimate and malicious activities.

The use of this technique suggests a sophisticated understanding of SharePoint and OneDrive’s synchronization mechanisms, which could be exploited to systematically drain data from an organization without raising alarms.

Microsoft’s Response and Security Patch Backlog

Upon discovery, Varonis researchers promptly reported these vulnerabilities to Microsoft in November 2023. Microsoft has acknowledged the issue and categorized these vulnerabilities as “moderate” security risks.

They have been added to Microsoft’s patch backlog program, indicating that a fix is in the pipeline but may not be immediately available.

The discovery of these techniques underscores the risks associated with SharePoint and OneDrive, especially when permissions are misconfigured or overly permissive.

Organizations relying on these services for file sharing and collaboration must be vigilant and proactive in managing access rights to minimize the risk of unauthorized data access.

To combat these vulnerabilities, organizations are advised to implement additional detection strategies.

Monitoring for unusual patterns of access events, especially those that could indicate the use of the “Open in App Method,” is crucial.

Similarly, keeping an eye on sync activities and verifying that they match expected user behavior can help identify misuse of the SkyDriveSync User-Agent technique.

Furthermore, organizations should prioritize the review and tightening of permissions across their SharePoint and OneDrive environments.

Regular audits and updates to security policies can help prevent threat actors from exploiting such vulnerabilities in the first place.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Two Systemic Jailbreaks Uncovered, Exposing Widespread Vulnerabilities in Generative AI Models

Two significant security vulnerabilities in generative AI systems have been discovered, allowing attackers to...

New AI-Generated ‘TikDocs’ Exploits Trust in the Medical Profession to Drive Sales

AI-generated medical scams across TikTok and Instagram, where deepfake avatars pose as healthcare professionals...

Gamers Beware! New Attack Targets Gamers to Deploy AgeoStealer Malware

The cybersecurity landscape faces an escalating crisis as AgeoStealer joins the ranks of advanced...

Compliance And Governance: What Every CISO Needs To Know About Data Protection Regulations

The cybersecurity landscape has changed dramatically in recent years, largely due to the introduction...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Two Systemic Jailbreaks Uncovered, Exposing Widespread Vulnerabilities in Generative AI Models

Two significant security vulnerabilities in generative AI systems have been discovered, allowing attackers to...

New AI-Generated ‘TikDocs’ Exploits Trust in the Medical Profession to Drive Sales

AI-generated medical scams across TikTok and Instagram, where deepfake avatars pose as healthcare professionals...

Gamers Beware! New Attack Targets Gamers to Deploy AgeoStealer Malware

The cybersecurity landscape faces an escalating crisis as AgeoStealer joins the ranks of advanced...