Hijacking Microsoft Office 365 accounts can allow threat actors to encrypt files business stored in OneDrive and SharePoint. Without proper backups, the attack would be as severe as an attack involving malware.
Most ransomware attacks involve some sort of encryption malware deployed on a targeted network. To minimize this risk, some companies choose cloud-based solutions.
However, researchers at cloud security firm Proofpoint have discovered that it is possible to encrypt files stored on Microsoft’s cloud apps, SharePoint Online, and OneDrive within the Office 365 suites.
“Once executed, the attack encrypts the files in the compromised users’ accounts. Just like with endpoint ransomware activity, those files can then only be retrieved with decryption keys,” the report’s authors claim.
According to the researchers, the attack begins with a potential threat actor gaining access to users’ SharePoint Online or OneDrive accounts. After taking over the account, an attacker would reduce versioning files to a lower number and encrypt the file more times than the versioning limit.
“This step is unique to cloud ransomware compared to the attack chain for endpoint-based ransomware. In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic,” reads the report.
In essence, the attack exploits the ‘AutoSave’ feature that creates cloud backups of older versions when users make edits. The versioning number represents which version of the backup is being used.
When the document library version limit number is reduced, any further changes to the files in the document library will result in the older version becoming very difficult to restore. The versioning mechanism can be abused by creating too many versions of a file or reducing the version limits of a document library.
Proofpoint researchers contacted Microsoft about the issue. The company responded that this configuration is working as intended and said that files could be potentially recovered in 14 days with the assistance of Microsoft support.
Proofpoint failed to restore older versions using the advice Microsoft provided.
More from Cybernews:
Subscribe to our newsletter