Two new techniques uncovered in SharePoint enable malicious actors to bypass traditional security measures and exfiltrate sensitive data without triggering standard detection mechanisms.
Illicit file downloads can be disguised as harmless activities, making it difficult for cybersecurity defenses to detect them. To accomplish this, the system’s features are manipulated in various ways.
Security researchers from Varonis Threat Labs discovered two SharePoint techniques.
The first technique dubbed the “Open in App Method,” takes advantage of the SharePoint feature, which allows users to open documents directly in their associated applications.
While this feature is designed for user convenience, it has inadvertently created a loophole for data breaches.
Attackers can use this feature’s underlying code to access and download files, leaving behind only an access event in the file’s audit log.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .
This subtle footprint can easily be overlooked, as it does not resemble a typical download event.
The exploitation of this method can be carried out manually or automated through a PowerShell script.
When automated, the script can rapidly exfiltrate many files, significantly amplifying the potential damage.
The script leverages the SharePoint client object model (CSOM) to fetch files from the cloud and save them to a local computer, avoiding creating a download log entry.
The second technique involves the manipulation of the User-Agent string for Microsoft SkyDriveSync, now known as OneDrive, Varonis said.
By masquerading as the sync client, attackers can download files or even entire SharePoint sites.
These downloads are mislabeled as file synchronization events rather than actual downloads, thus slipping past security measures that are designed to detect and log file downloads.
This method is particularly insidious because it can be used to exfiltrate data on a massive scale, and the sync disguise makes it even harder for security tools to distinguish between legitimate and malicious activities.
The use of this technique suggests a sophisticated understanding of SharePoint and OneDrive’s synchronization mechanisms, which could be exploited to systematically drain data from an organization without raising alarms.
Upon discovery, Varonis researchers promptly reported these vulnerabilities to Microsoft in November 2023. Microsoft has acknowledged the issue and categorized these vulnerabilities as “moderate” security risks.
They have been added to Microsoft’s patch backlog program, indicating that a fix is in the pipeline but may not be immediately available.
The discovery of these techniques underscores the risks associated with SharePoint and OneDrive, especially when permissions are misconfigured or overly permissive.
Organizations relying on these services for file sharing and collaboration must be vigilant and proactive in managing access rights to minimize the risk of unauthorized data access.
To combat these vulnerabilities, organizations are advised to implement additional detection strategies.
Monitoring for unusual patterns of access events, especially those that could indicate the use of the “Open in App Method,” is crucial.
Similarly, keeping an eye on sync activities and verifying that they match expected user behavior can help identify misuse of the SkyDriveSync User-Agent technique.
Furthermore, organizations should prioritize the review and tightening of permissions across their SharePoint and OneDrive environments.
Regular audits and updates to security policies can help prevent threat actors from exploiting such vulnerabilities in the first place.
Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…
ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…
Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…
The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…
Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated cybercriminals to achieve its strategic goals,…