SharePoint security flaw helps criminals evade detection

Ransomware
Image credit: Shutterstock (Image credit: Shutterstock)

New research has uncovered two new techniques that allow hackers to exfiltrate files from Sharepoint without triggering download events.

A report from Varonis Threat Labs found the techniques used allow threat actors to avoid detection by hiding the download of exfiltrated files as more inconspicuous access and synchronization events.

By using this method, the threat actors can dodge the traditional cloud access security and data loss prevention tools that would otherwise detect the intrusion.

Two ways to escape

The first technique, described by Varonis as the ‘Open in App Method’, takes advantage of code used in the ‘open in app’ feature of Sharepoint, allowing the threat actor to access and download files via Sharepoint either through a Powershell script or manually, leaving just a single trace of evidence behind - the access event in the file’s audit log.

The second method, described as ‘SkyDriveSync User-Agent’, mislabeled file events as synchronisations rather than downloads by abusing the User-Agent for Microsoft SkyDriveSync, allowing the threat actor to hide almost completely from policy enforcement, audit logs, and detection.

Both methods allow threat actors to extract huge volumes of data very quickly, and while no patch has been made available for these vulnerabilities by Microsoft, Varonis Threat Labs recommends that access events be monitored closely across both SharePoint and OneDrive.

Microsoft recently released a vulnerability patch that addressed 149 security flaws, two of which were critical zero-day vulnerabilities.

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
A person at a laptop with a cybersecure lock symbol floating above it.
A worrying security flaw could have left Microsoft SharePoint users open to attack
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
A pair of hands using a keyboard
Microsoft SharePoint hijacked to spread Havoc malware
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Hands typing on a keyboard surrounded by security icons
Infostealers on the rise: the latest concern for organizational defenses
Best email services: image of email with one unread message alert
Over 400 million unwanted and malicious emails were received by businesses in 2024
Latest in Pro
Representational image of a shrouded hacker.
Adapting the UK’s cyber ecosystem
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
Context Windows
Why are AI context windows important?
BERT
What is BERT, and why should we care?
A person holding out their hand with a digital AI symbol.
AI is booming — but are businesses seeing real impact?
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Close up of Leica M11-P viewfinder
I wince at the prospect of the rumored Leica M11-V – here's why
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time