A Microsoft 365 feature can ransom files on SharePoint and OneDriveCould

Pierluigi Paganini June 17, 2022

Experts discovered a feature in Microsoft 365 suite that could be abused to encrypt files stored on SharePoint and OneDrive and target cloud infrastructure.

Researchers from Proofpoint reported that a feature in the in Microsoft 365 suite could be abused to encrypt files stored on SharePoint and OneDrive.

“Proofpoint has discovered a potentially dangerous piece of functionality in Office 365 or Microsoft 365 that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker.” reads the post published by Proofpoint.

The researchers detailed an attack chain that allows encrypting files in the compromised users’ accounts, unfortunately for the victims, these files can then only be retrieved by paying a ransom to receive the decryption keys.

The researchers pointed out that the actions composing the attack chain can be automated using Microsoft APIs, command line interface (CLI) scripts and PowerShell scripts. Below is the attack chain described by ProofPoint:

  1. Initial Access: Gain access to one or more users’ SharePoint Online or OneDrive accounts by compromising or hijacking users’ identities.
  2. Account Takeover & Discovery: The attacker now has access to any file owned by the compromised user or controlled by the third-party OAuth application (which would include the user’s OneDrive account as well).
  3. Collection & Exfiltration: Reduce versioning limit of files to a low number such as 1, to keep it easy. Encrypt the file more times than the versioning limit. With the example limit of 1, encrypt the file twice. This step is unique to cloud ransomware compared to the attack chain for endpoint-based ransomware. In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic. 
  4. Monetization: Now all original (pre-attacker) versions of the files are lost, leaving only the encrypted versions of each file in the cloud account. At this point, the attacker can ask for a ransom from the organization. 

The infection sequence can be carried out using a combination of Microsoft APIs, command-line interface (CLI) scripts, and PowerShell scripts, the enterprise security firm added.

Microsoft Office 365 ransomware

Researchers at Proofpoint reported that the attack abuses the “AutoSave” feature that creates cloud backups of older file versions when users edit a file stored on OneDrive or SharePoint Online.

Every document library in SharePoint Online and OneDrive is characterized with a set of attributes, including the number of saved versions that can be changed by the site owner can change, regardless of their other roles. The versioning settings are under list settings for each document library. 

“By design, when you reduce the document library version limit, any further changes to the files in the document library will result in older versions becoming very hard to restore (see responsible disclosure and discussion). There are two ways to abuse the versioning mechanism to achieve malicious aims – either by creating too many versions of a file or by reducing the version limits of a document library.” continues the report. “Edits that increment a version of a file include changes to the document contents, filename, file metadata and the file encryption status.”  

An attacker can either create too many versions of a file or reduce the version limit of a document library to a lower such as “1” and then encrypt each file more times than the versioning limit.

Microsoft downplayed the issue stating that older versions of files can be potentially recovered and restored for an additional 14 days with the assistance of Microsoft Support.

“However, Proofpoint attempted to retrieve and restore old versions through this process (i.e., with Microsoft Support) and was not successful. Secondly, even if the versioning settings configuration workflow is as intended, Proofpoint has shown that it can be abused by attackers towards cloud ransomware aims.” concludes the report.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 


Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft 365)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment