Security researchers are warning that threat actors could hijack Office 365 accounts to encrypt files stored in SharePoint and OneDrive for a ransom. This poses a unique threat to companies using these services for cloud-based collaboration, document management, and storage that do not have backups readily available.
Researchers reported that the attack’s success relies on users abusing the “AutoSave” feature, which creates cloud backups of older files. The compromise of Microsoft 365 accounts can easily be done through phishing or malicious OAuth apps. With this, attackers will use Microsoft APIs and PowerShell scripts to automate malicious actions on large document lists. The most effective tactic used is through the versioning setting on document lists. This provides an attacker the opportunity to reduce the number of file versions to one, encrypting the data twice, as the original document will no longer be available. A “louder” approach using automated scripts is also a concern. This method can edit files 501 times, exploiting the edit maximum of 500 in OneDrive for storing file versions. Both tactics grant the attacker the ability to request a ransom in exchange for unlocking the files.
Microsoft is aware of the potential abuse of the version numbering setting, but they maintain that this configuration ability is the intended functionality. They have provided a statement reassuring those affected by a data loss through these methods will receive recovery help up to 14 days after the incident. However, cybersecurity firm Proofpoint has reported that they tried restoring data through Microsoft’s intended method and failed. Companies that are susceptible to cloud attacks are recommended to use multi-factor authentication, keep regular backups, hunt for malicious OAuth apps and revoking tokens, and to add restorable versions immediately to the incident response list.