"A Microsoft Office 365 Feature Could Help Ransomware Hackers Hold Cloud Files Hostage"

A "dangerous piece of functionality" in the Microsoft 365 suite has been uncovered that might be used by a malicious actor to hold assets stored on SharePoint and OneDrive at ransom as well as execute attacks on cloud infrastructure. According to researchers at Proofpoint, the cloud ransomware attack allows file-encrypting malware to encrypt files saved on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key. In addition, the infection sequence can be carried out using a combination of Microsoft Application Programming Interfaces (APIs), command-line interface (CLI) scripts, and PowerShell scripts. The attack is based on a Microsoft 365 feature called AutoSave, which copies older file versions whenever users make changes to a file stored on OneDrive or SharePoint Online. It begins with getting unauthorized access to a target user's SharePoint Online or OneDrive account, which is then used to exfiltrate and encrypt contents. The three most popular ways for a malicious actor to gain an initial footing are to directly breach the account via phishing or brute-force attacks, trick a user into authorizing a rogue third-party OAuth application, or hijack a logged-in user's web session. This article continues to discuss how the Microsoft Office 365 feature can help cloud ransomware attacks.

THN reports "A Microsoft Office 365 Feature Could Help Ransomware Hackers Hold Cloud Files Hostage"