Security News > 2022 > June > Microsoft Office 365 feature can help cloud ransomware attacks

Security researchers are warning that threat actors could hijack Office 365 accounts to encrypt for a ransom the files stored in SharePoint and OneDrive services that companies use for cloud-based collaboration, document management and storage.
A ransomware attack targeting files on these services could have severe consequences if backups aren't available, rendering important data inaccessible to owners and working groups.
Researchers at cybersecurity company Proofpoint note in a report today that the success of the attack relies on abusing the "AutoSave" feature that creates cloud backups of older file versions when users make edits.
The only prerequisite for encrypting SharePoint and OneDrive files is to compromise Office 365 accounts, which is easily done through phishing or malicious OAuth apps.
The trick to finish the file locking stage quicker and make recovery more difficult is to reduce the version numbering limit and encrypt all files more than that limit.
With a file version limit set to "1," when the attacker encrypts or edits the file twice, the original document will no longer be available through OneDrive and cannot be restored.
News URL
Related news
- HPE notifies employees of data breach after Russian Office 365 hack (source)
- Botnet targets Basic Auth in Microsoft 365 password spray attacks (source)
- SANS Institute Warns of Novel Cloud-Native Ransomware Attacks (source)
- Hidden Threats: How Microsoft 365 Backups Store Risks for Future Attacks (source)
- CISA tags Microsoft .NET and Apache OFBiz bugs as exploited in attacks (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- Microsoft Identifies 3,000 Leaked ASP.NET Keys Enabling Code Injection Attacks (source)
- US indicts 8Base ransomware operators for Phobos encryption attacks (source)
- Triplestrength hits victims with triple trouble: Ransomware, cloud hijacks, crypto-mining (source)
- Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries (source)