Security firm Proofpoint has detected a “potentially dangerous piece of functionality” in Microsoft Office 365 that enables ransomware to encrypt files stored on SharePoint and OneDrive and makes them unrecoverable without backups or a decryption key from the hacker.

Ransomware attacks typically target data across endpoints or network drives.

SharePoint and OneDrive are two of the most ubiquitous enterprise cloud apps. The attacker encrypts the files in the compromised users’ accounts. Just like any endpoint ransomware activity, encrypted files can only be recovered with decryption keys.

Proofpoint breaks down how the attack begins and progresses:

  1. Initial Access: Gain access to SharePoint Online or OneDrive accounts by compromising or hijacking users’ identities.
  2. Account Takeover & Discovery: The attacker now has access to any file owned by the compromised user or controlled by the third-party OAuth application.
  3. Collection & Exfiltration: Reduce versioning limit of files to a low number to keep it easy. Encrypt the file more times than the versioning limit. This step is unique to cloud ransomware compared to the attack chain for endpoint-based ransomware. 
  4. Monetization: Now all original (pre-attacker) versions of the files are lost, leaving only the encrypted versions of each file in the cloud account. At this point, the attacker can ask for a ransom from the organization.

Proofpoint also identified three most common paths hackers take to obtain access to one or more users’ SharePoint Online or OneDrive accounts. These are:

  1. Account compromise: Directly compromising the users’ credentials to their cloud account(s) via phishing, brute force attacks, and other methods
  2. Third-party OAuth applications: Tricking a user to authorize third-party OAuth apps with application scopes for SharePoint or OneDrive access
  3. Hijacked sessions: Hijacking the web session of a logged-in user or hijacking a live API token for SharePoint Online and/or OneDrive

Finally, Proofpoint urges users to shore up their Office 365 accounts by improving security hygiene around ransomware and updating disaster recovery and data backup policies to minimize losses incurred in a ransomware attack.