Chris Swagler | June 21st, 2022

Security researchers discovered a potentially perilous function in the Microsoft 365 suite. A warning was issued that threat actors can potentially launch attacks on cloud infrastructure and ransom files stored on SharePoint and OneDrive. Companies use these services for cloud-based collaboration, document management, and storage.

A ransomware attack on the cloud allows threat operators to launch malware to encrypt files stored on SharePoint and One Drive making them unrecoverable without dedicated backups or a decryption key from threat actors. If backups aren’t available, ransomware attacks targeting files on these services can have serious consequences, rendering critical data inaccessible to owners and working groups.

The infection sequence for these particular attacks can be carried out through a combination of Microsoft APIs, command-line interface (CLI) scripts, and PowerShell scripts. According to cybersecurity researchers, a successful attack depends on abusing the AutoSave feature that creates cloud backups of older file versions when users edit documents. Once threat actors gain unauthorized access to targeted users’ SharePoint or OneDrive accounts, they then abuse the access to exfiltrate and encrypt files.

The three most common ways to obtain the initial foothold involve breaching accounts using phishing or brute-force attacks, deceiving users into authorizing a rouge third-party OAuth application or taking over a logged-in user’s web session. Threat operators can exploit Microsoft APIs and PowerShell scripts to automate malicious actions on large document lists after accessing the accounts. The encryption process differs from traditional endpoint ransomware activities in which it requires locking each file on SharePoint Online or OneDrive for more than the permitted versioning limit.

In order to speed up the locking stage and make file recovery more difficult, threat actors will reduce the version numbering limit and encrypt all files exceeding the endorsed limit. The task doesn’t require administrative privileges and can be carried out from any breached account. According to researchers, threat operators can reduce the number of file versions to “1” and encrypt the data twice. When threat operators encrypt or modify the file twice with a file version limit set to “1,” the original document is no longer available through OneDrive and can’t be restored.

Another method is to utilize automated scripts to edit files 501 times, which is more than the maximum 500 file version limit stored on OneDrive. Even though the method may cause some warning, it still counts as a valid option. Once the document encryption is completed, threat actors can demand a ransom from victims in exchange for unlocking the files. Threat actors can steal the original documents before encrypting them to increase the pressure on victims by threatening to expose the data, which is feasible and can prove effective, especially if backups are unavailable.

For companies that can be potential targets by cloud attacks, the best security practice recommendations are to enforce a strong password policy, require multi-factor authentication (MFA), prevent large-scale data downloads to unmanaged devices, and regularly maintain external backups of cloud files with sensitive data.

It’s critical for companies to remain alert of the current threat landscape and keep cloud backups from OneDrive and SharePoint offline. At SpearTip, our remediation experts focus on restoring companies’ operations, reclaiming their networks by isolating malware, and recovering business-critical assets needed to operate. Our certified engineers examine companies’ entire security posture to improve networks’ weak points. The ShadowSpear Platform, our endpoint detection and response tool, delivers a cloud-based solution collecting endpoint logs regardless of machine location.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.