Microsoft Office 365 feature can help cloud ransomware attacks

Security researchers are warning that threat actors could hijack Office 365 accounts to encrypt for a ransom the files stored in SharePoint and OneDrive services that companies use for cloud-based collaboration, document management and storage.

A ransomware attack targeting files on these services could have severe consequences if backups aren’t available, rendering important data inaccessible to owners and working groups.

Version numbering tricks

Researchers at cybersecurity company Proofpoint note in a report today that the success of the attack relies on abusing the “AutoSave” feature that creates cloud backups of older file versions when users make edits.

The only prerequisite for encrypting SharePoint and OneDrive files is to compromise Office 365 accounts, which is easily done through phishing or malicious OAuth apps.

After hijacking an account, attackers can use Microsoft APIs and PowerShell scripts to automate malicious actions on large document lists.

The trick to finish the file locking stage quicker and make recovery more difficult is to reduce the version numbering limit and encrypt all files more than that limit.

This task does not require administrative privileges and can be done from any hijacked account. As an example, the researchers say that an adversary could reduce the number of file versions to "1" and encrypt the data twice.

Versioning setting on document lists
Versioning setting on document lists (Microsoft)

With a file version limit set to “1,” when the attacker encrypts or edits the file twice, the original document will no longer be available through OneDrive and cannot be restored.

Another way is to use automated scripts to edit files 501 times, which is above the maximum 500 limit in OneDrive for storing file versions. While this method is "louder" and might trigger some alerts, it still counts as a valid approach.

Cloud ransomware attack chain
Cloud ransomware attack chain (Proofpoint)

With the document encryption complete, the threat actor can now request a ransom from the victim in exchange for unlocking the files.

Stealing the original documents before encrypting them to put more pressure on the victim under the threat of leaking the data, is also feasible and may prove effective, especially if backups exist.

Microsoft’s response

Proofpoint informed Microsoft of the potential for abuse of the version numbering setting, but the tech giant maintains that this configuration ability is the intended functionality.

Moreover, Microsoft told Proofpoint that in cases of unexpected data loss like in the above attack scenario, support agents could help with recovery up to 14 days after the incident. However, Proofpoint reports that it attempted to restore files using that method and failed.

For organizations that might be targeted by these cloud attacks, the best security practices include:

  • using multi-factor authentication,
  • keeping regular backups,
  • hunting for malicious OAuth apps and revoking tokens, and
  • adding “increase of restorable versions immediately” to the incident response list.

Related Articles:

StopCrypt: Most widely distributed ransomware evolves to evade detection

REvil hacker behind Kaseya ransomware attack gets 13 years in prison

French hospital CHC-SV refuses to pay LockBit extortion demand

Philadelphia Inquirer: Data of over 25,000 people stolen in 2023 breach

Change Healthcare hacked using stolen Citrix account with no MFA