web analytics
Home » Technology » Internet » Microsoft Office 365 and Onedrive Vulnerability Still Open To Ransomware attacks

Microsoft Office 365 and Onedrive Vulnerability Still Open To Ransomware attacks


Cybercriminals are now hunting SharePoint and OneDrive accounts to encrypt data and extort users. While this is primarily “lucrative” for businesses, it can also affect individuals. That’s what they are doing now Proofpoint Security Researchers In the past week, researchers revealed a vulnerability in a Microsoft 365 feature that opens up new cloud-based attack vectors for hackers. Proofpoint’s findings explain how malicious actors can use basic functions in the applications to encrypt files and make ransom demands. This vulnerability gives hackers another way to attack cloud-based data and infrastructure.

It all starts with access to the cloud

The vulnerability is based on a four-step attack chain that begins with a user’s identity being compromised. For example, user accounts can be compromised by brute force or phishing attacks, improper authorization via third-party OAuth apps, or hijacked user sessions.

The attacker then uses the person’s credentials to access their SharePoint or OneDrive accounts. There it changes the version control setting and encrypts the files multiple times so that no unencrypted version of the compromised files is left behind. Once files are encrypted, they can only be accessed with the correct decryption keys – and that can get expensive.

Document changes logged

Versioning is a feature in SharePoint and OneDrive that creates a record for each file, logging all document changes and the users who made those changes. Users with appropriate permissions can view, delete, or restore previous versions of the document.

The number of versions tracked is determined by the version settings in the application. These version settings do not require administrator rights and are therefore easy for hackers to change.

More changes than saved versions

Changing the number of document versions preserved is key to this exploit. The attacker configures the version settings to keep only a desired number of versions per file. The files are then encrypted more times than the number of saved versions, leaving no recoverable backup versions.

Encryption is not the only way that version control can be exploited. Another option is to re-modify files for so long and for so long that no original file is left behind. In all cases, only the attackers can access an original and try to extort victims into paying the ransom.