Microsoft Office 365 is a subscription-based online version of Microsoft Office, which includes SharePoint Online, Lync Online, Exchange Online, and Microsoft Office Web apps. Recently, security researchers highlighted a security loophole in MS Office 365. They said secure cloud file storage may get infected and encrypted by ransomware if attackers hijack Office 365 accounts.
Threat to secure cloud file storage through Office 365
Security researchers discovered a malicious flaw in the Office 365 suite, where the threat actors can mount ransomware attacks on secure cloud file storage. The entire cloud can get encrypted if attackers trigger ransom files stored on OneDrive and SharePoint. Compromising MS Office 365 accounts is possible through malicious OAuth apps or phishing techniques.
After hijacking an account, attackers can leverage PowerShell scripts, command-line interface (CLI) scripts or Microsoft APIs to automate illicit and adversarial activities on large documents and files. Using them, attackers can launch vicious file-encrypting malware to encrypt files and documents shared on the cloud (SharePoint and OneDrive). Such an infecting technique makes these files unrecoverable without a dedicated backup.
Proofpoint stated, "Our research focused on two of the most popular enterprise cloud apps – SharePoint Online and OneDrive – within the Microsoft 365 and Office 365 suites and shows that ransomware actors can now target organizations' data in the cloud and launch attacks on cloud infrastructure."
According to the security firm, at the core of this attack technique is exploiting an Office 365 feature known as AutoSave. AutoSave produces replicas of older file versions dynamically as the users create edits to a file stored on SharePoint Online or OneDrive.
How can the attack on secure cloud file storage take place through Office 365 suite?
According to Proofpoint, there is a specific attack chain that the attackers can follow to accomplish this. Once the attacker gains access to the secure cloud file storage, they can deploy encryption malware. Here is the attack chain:
The attackers will leverage malicious OAuth apps to gain access. Using phishing techniques, the attackers trick victims into authorizing a rogue third-party. Later, they perform brute-force attacks to compromise the victim's identity, and credentials or takeover logged web sessions.
Discovery after account takeover:
Once the attacker gains access to all files owned by the victim, they will look for potential files and locations. The attackers may also compromise the user's OneDrive account.
Collection & Exfiltration:
The attackers will limit the versioning of various victim files to a lower number, such as 1. Then, they will encrypt the files. Some attackers also exfiltrate unencrypted files and threaten to release them publicly as a part of a double-extortion tactic.
Ask for ransom:
Since all the original files are lost after encryption, the only way to get these files back is through the decryption key provided by the attacker. At this point, the attacker will ask for ransom.
How to protect your organization from this threat
Here are a few tools and techniques you can leverage to protect yourself from ransomware and security breaches.
Cloud recovery and backup:
Enterprises should enable disaster recovery and backup management services in the cloud. So, even if the ransomware encrypts all the organization's files, the IT team can restore them through backup.
Robust access management systems:
Access management systems with multi-factor authentication (MFA), password policies, use of least privilege, & fostering adaptive authentication or risk-based authentication techniques can deter attackers.
Data loss prevention:
Enterprises can also leverage cloud-based data loss prevention tools to save the day.
Train and educate employees against cyber attacks:
Educate employees about ransomware, phishing, and cyber hygiene to prevent brute-force attacks or logging out of web sessions, etc.
Enterprises can contact security solution providers like
to understand their vulnerabilities and draft a preventive action plan.
Companies must take adequate safeguards against attackers exploiting the flaw to encrypt a user's cloud (SharePoint and OneDrive account) files. Enterprises can enable cloud backup and recovery, employ robust access management, use data loss prevention tools, and educate employees about cyber attacks. Cybersecurity solution providers can also help you understand potential vulnerabilities and take preventive measures.