© 2022 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Office 365 feature allows cloud-based ransomware attacks


Hijacking Microsoft Office 365 accounts can allow threat actors to encrypt files business stored in OneDrive and SharePoint. Without proper backups, the attack would be as severe as an attack involving malware.

Most ransomware attacks involve some sort of encryption malware deployed on a targeted network. To minimize this risk, some companies choose cloud-based solutions.

However, researchers at cloud security firm Proofpoint have discovered that it is possible to encrypt files stored on Microsoft’s cloud apps, SharePoint Online, and OneDrive within the Office 365 suites.

“Once executed, the attack encrypts the files in the compromised users’ accounts. Just like with endpoint ransomware activity, those files can then only be retrieved with decryption keys,” the report’s authors claim.

According to the researchers, the attack begins with a potential threat actor gaining access to users’ SharePoint Online or OneDrive accounts. After taking over the account, an attacker would reduce versioning files to a lower number and encrypt the file more times than the versioning limit.

“This step is unique to cloud ransomware compared to the attack chain for endpoint-based ransomware. In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic,” reads the report.

In essence, the attack exploits the ‘AutoSave’ feature that creates cloud backups of older versions when users make edits. The versioning number represents which version of the backup is being used.

When the document library version limit number is reduced, any further changes to the files in the document library will result in the older version becoming very difficult to restore. The versioning mechanism can be abused by creating too many versions of a file or reducing the version limits of a document library.

Proofpoint researchers contacted Microsoft about the issue. The company responded that this configuration is working as intended and said that files could be potentially recovered in 14 days with the assistance of Microsoft support.

Proofpoint failed to restore older versions using the advice Microsoft provided.


More from Cybernews:

Are you scared of a robotic future? You might have robophobia

Android spyware uncovered by threat watchdog

Elon Musk discusses layoffs and aliens in Twitter staff address

US disrupts Russian botnet targeting IoT devices

Web 5: all Jack should know about digital identity but is too afraid to ask

Subscribe to our newsletter


Leave a Reply

Your email address will not be published. Required fields are marked