Two recently discovered SharePoint techniques empower malicious actors to circumvent conventional security measures and extract sensitive data covertly, evading detection mechanisms.
These techniques involve disguising illicit file downloads as innocuous activities, thereby complicating detection by cybersecurity defenses. Varonis Threat Labs uncovered these two methods.
Recent SharePoint Technique
The initial technique, labeled the “Open in App Method,” exploits SharePoint’s functionality, enabling users to directly open documents with their associated applications.
Though intended for user convenience, this feature has inadvertently introduced a vulnerability for potential data breaches.
Attackers leverage the code underlying this feature to access and download files, leaving only an access event in the file’s audit log.
This inconspicuous footprint may go unnoticed since it doesn’t resemble a typical download event.
Exploiting this method can be done either manually or automated via a PowerShell script.
When automated, the script can swiftly exfiltrate numerous files, drastically increasing potential damage.
Utilizing the SharePoint client object model (CSOM), the script fetches files from the cloud and saves them locally, evading download log entries.
The second technique entails manipulating the User-Agent string for Microsoft SkyDriveSync, now known as OneDrive, as reported by Varonis.
By impersonating the sync client, attackers can download files or entire SharePoint sites.
These downloads are disguised as file synchronization events, evading security measures meant to detect and log file downloads.
This method is especially insidious as it enables massive data exfiltration, with the sync disguise complicating the identification of legitimate versus malicious activities by security tools.
Security Patch
Varonis researchers notified Microsoft of these vulnerabilities in November 2023. Microsoft acknowledged them as “moderate” security risks, adding them to their patch backlog program for future fixes.
These findings highlight the dangers linked with SharePoint and OneDrive, particularly when permissions are misconfigured. Organizations using these services for collaboration should be proactive in managing access rights to mitigate the risk of unauthorized data access.
Organizations should bolster detection efforts to counter these vulnerabilities.
Crucially, monitoring for atypical access patterns, including signs of the “Open in App Method,” is essential.
Verifying sync activities against expected user behavior can uncover misuse of the SkyDriveSync User-Agent technique.
Additionally, organizations must prioritize reviewing and tightening permissions in SharePoint and OneDrive environments.
Regular audits and security policy updates are vital for preventing threat actors from exploiting such vulnerabilities.
Leave A Comment