Two new techniques uncovered in SharePoint enable malicious actors to bypass traditional security measures and exfiltrate sensitive data without triggering standard detection mechanisms.
Illicit file downloads can be disguised as harmless activities, making it difficult for cybersecurity defenses to detect them. To accomplish this, the system’s features are manipulated in various ways.
Security researchers from Varonis Threat Labs discovered two SharePoint techniques.
Open-In-App Method
The first technique dubbed the “Open in App Method,” takes advantage of the SharePoint feature, which allows users to open documents directly in their associated applications.
While this feature is designed for user convenience, it has inadvertently created a loophole for data breaches.
Attackers can use this feature’s underlying code to access and download files, leaving behind only an access event in the file’s audit log.
This subtle footprint can easily be overlooked, as it does not resemble a typical download event.
The exploitation of this method can be carried out manually or automated through a PowerShell script.
When automated, the script can rapidly exfiltrate many files, significantly amplifying the potential damage.
The script leverages the SharePoint client object model (CSOM) to fetch files from the cloud and save them to a local computer, avoiding creating a download log entry.
SkyDriveSync User-Agent
The second technique involves the manipulation of the User-Agent string for Microsoft SkyDriveSync, now known as OneDrive, Varonis said.
By masquerading as the sync client, attackers can download files or even entire SharePoint sites.
These downloads are mislabeled as file synchronization events rather than actual downloads, thus slipping past security measures that are designed to detect and log file downloads.
This method is particularly insidious because it can be used to exfiltrate data on a massive scale, and the sync disguise makes it even harder for security tools to distinguish between legitimate and malicious activities.
The use of this technique suggests a sophisticated understanding of SharePoint and OneDrive’s synchronization mechanisms, which could be exploited to systematically drain data from an organization without raising alarms.
Microsoft’s Response And Security Patch Backlog
Upon discovery, Varonis researchers promptly reported these vulnerabilities to Microsoft in November 2023. Microsoft has acknowledged the issue and categorized these vulnerabilities as “moderate” security risks.
They have been added to Microsoft’s patch backlog program, indicating that a fix is in the pipeline but may not be immediately available.
The discovery of these techniques underscores the risks associated with SharePoint and OneDrive, especially when permissions are misconfigured or overly permissive.
Organizations relying on these services for file sharing and collaboration must be vigilant and proactive in managing access rights to minimize the risk of unauthorized data access.
To combat these vulnerabilities, organizations are advised to implement additional detection strategies.
Monitoring for unusual patterns of access events, especially those that could indicate the use of the “Open in App Method,” is crucial.
Similarly, keeping an eye on sync activities and verifying that they match expected user behavior can help identify misuse of the SkyDriveSync User-Agent technique.
Furthermore, organizations should prioritize the review and tightening of permissions across their SharePoint and OneDrive environments.
Regular audits and updates to security policies can help prevent threat actors from exploiting such vulnerabilities in the first place.
Permissions Management in SharePoint Online – A Practical Guide
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot
