Security researchers are warning that threat actors could hijack Office 365 accounts to encrypt files stored in SharePoint and OneDrive for a ransom. This poses a unique threat to companies using these services for cloud-based collaboration, document management, and storage that do not have backups readily available.
Researchers reported that the attack’s success relies on users abusing the “AutoSave” feature, which creates cloud backups of older files. The compromise of Microsoft 365 accounts can easily be done through phishing or malicious OAuth apps. With this, attackers will use Microsoft APIs and PowerShell scripts to automate malicious actions on large document lists. The most effective tactic used is through the versioning setting on document lists. This provides an attacker the opportunity to reduce the number of file versions to one, encrypting the data twice, as the original document will no longer be available. A “louder” approach using automated scripts is also a concern. This method can edit files 501 times, exploiting the edit maximum of 500 in OneDrive for storing file versions. Both tactics grant the attacker the ability to request a ransom in exchange for unlocking the files.