Office 365 Config Loophole Opens OneDrive, SharePoint Data to Ransomware Attack

Researchers are warning attackers can abuse Microsoft Office 365 functionality to target files stored on SharePoint and OneDrive in ransomware attacks. Those files, stored via “auto-save” and backed-up in the cloud, typically leave end users with the impression data is shielded from a ransomware attack. However, researchers say that is not always the case and files stored on SharePoint and OneDrive can be vulnerable to a ransomware attack. The research comes from Proofpoint, which lays out what it say is “potentially dangerous piece of functionality” in a report released last week. “Proofpoint has discovered a potentially dangerous piece of functionality in Office 365 or Microsoft 365 that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker,” according to researchers. How the Attack Chain Works The attack chain assumes the worst and starts with an initial compromise of an Office 365 user’s account credentials. This leads to an account takeover, then discovery of data within the SharePoint and OneDrive environment and eventually a breach of data and ransomware attack. Why this is a big deal, argues Proofpoint, is that tools such as cloud backups via Microsoft’s “auto-save” feature have been part of a best-practices for preventing a ransomware attack. Should data be locked-up on an endpoint, there would be a cloud backup to save the day. Configuring how…