Key Office 365 Loophole Leaves Data Open to Ransomware
A recently discovered vulnerability in Office 365 could enable an attacker to access files stored in OneDrive and SharePoint.
The vulnerability was discovered by security consultants Proofpoint. Their researchers found that a specific process within Office 365 could be attacked by a bad actor and encrypted using ransomware.
According to the researchers:
We have discovered a potentially dangerous piece of functionality in Office 365 or Microsoft 365 that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker.
Office 365 vulnerability
The risk is modest and requires the bad actor to have infected the user’s Office 365 account and have access to it. From there, they can use the autosave feature by modifying versioning limits.
Autosave is built into most cloud apps to protect users and data. Should anything happen, there will be multiple saved versions you can restore and catch up.
This threat requires the bad actor to modify the autosave version limit. For example, if your version of Office 365 has a 500 version limit on autosaves, the bad actor to create 501 dummy files as autosaves. Office 365 thinks the original is too old and won’t save it any more.
The bad actor encrypts all those copies and you lose access to your original file. It’s a complicated setup but could be easily automated with a bot.
This has apparently been tested extensively and is a legitimate risk. Once the autosave copies have been locked down and versions changed, you can no longer save the original document.
This gives an attacker full control over that document with no way to retrieve it. Multiply that by the thousands of documents the average business has, and you have a significant ransomware risk on your hands.
Mitigating the Weakness
So far there are no specific fixes or protections against this threat. Microsoft have not yet been able to patch it out. Instead, they recommend strengthening network security to prevent the initial breach.
They also recommend enabling multifactor authentication to protect accounts and ensuring you always have recent backups of all data.
You can also increase the number of autosave versions and revoke any account access that is no longer required.