New covert SharePoint data exfiltration techniques revealed

2024-04-10 15:01

Varonis Threat Labs researchers have uncovered two techniques attackers can use can use for covert data and file exfiltration from companies' SharePoint server.

"These techniques can bypass the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention, and SIEMs, by hiding downloads as less suspicious access and sync events," they noted.

"By combining PowerShell with SharePoint client object model, threat actors can write a script that fetches the file from the cloud and saves it to the local computer without leaving a download log footprint. This script can be extended to map an entire SharePoint site and, using automation, download all the files to the local machine," the researchers noted.

In both cases, the actions are not recorded in "File download" logs but only in "File access" and/or "File sync" logs, and are unlikely to trigger detection rules, which usually focus on download logs.

"A potential fix could be adding a new log indicating that the file has been opened in the app. This, coupled with a bit of behavioral analysis, could help indicate if files are being exfiltrated," Varonis Threat Labs Security Research Team leader Eric Saraga told Help Net Security.

Varonis updated its research to say that "On April 10, 2024, Microsoft closed out the ticket for the SharePoint method as 'by design' and believes that customers do not need to take action. This functionality will remain in SharePoint deployments until further notice."

News URL

https://www.helpnetsecurity.com/2024/04/10/covert-sharepoint-data-exfiltration/

#exfiltration #sharepoint