Editors' Note: This story was updated on April 10 at 1:10 p.m. Eastern to reflect a comment by Microsoft that users did not need to take any action.
Two Microsoft SharePoint flaws have been observed that could potentially let attackers circumvent audit logs and avoid triggering downloads and then exfiltrate SharePoint data.
The research was considered significant because of the vast base SharePoint has in government and business. More than 250,000 organizations are estimated to use SharePoint for managing documents and intranets, with 80% of Fortune 500 companies estimated to use the platform.
Varonis Threat Labs said in an April 9 blog post that they found that attackers can potentially bypass the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention platforms, and security information event management systems by hiding downloads as less suspicious access and sync events.
Varonis researchers said they disclosed the two bugs to Microsoft in November 2023 and Microsoft has since designated them as a “moderate” security fix, adding the flaws to their patch backlog program.
Until a patch is developed, the Varonis researchers recommended organizations closely review access events for unusual access activity, volume, new devices or geolocations across their SharePoint and OneDrive audit logs.
Attackers can exploit the flaws in one of two ways: The first technique uses code that enables the “Open in App” feature in SharePoint to access and download files while only leaving an access event in the file’s audit log. Attackers can do this manually or automated through a PowerShell script, allowing for the fast exfiltration of numerous files. The second technique uses the User-Agent for Microsoft SkyDriveSync to download files or even entire sites while mislabeling events as file syncs instead of downloads.
Using these two techniques, threat actors can potentially exfiltrate data while hiding their activity from audit logs, bypassing detection or policy enforcement.
Research shows the gaps in SharePoint security
Organizations using SharePoint are potentially exposed to undetected risks of data theft, as attackers can covertly exfiltrate sensitive information without setting off major alarms, explained Callie Guenther, senior manager of cyber threat research at Critical Start and an SC Media columnist.
Guenther said this situation highlights significant gaps in existing security strategies that often rely on audit logs for detecting anomalies. She said advanced persistent threat groups could also harness such techniques for prolonged espionage, posing a risk of remaining undetected for extensive periods. The potential compliance and legal repercussions are substantial, said Guenther, considering that undetected breaches could violate data protection regulations.
“The sophistication of these methods, especially with the possibility of automation using PowerShell scripts, indicates that attackers could execute large-scale attacks with relative ease,” said Guenther. “This scenario underscores the urgent need for security enhancements, advocating for the adoption of advanced detection tools that leverage behavioral analytics and machine learning to identify threats more effectively, moving beyond traditional log-based monitoring to a more dynamic, proactive approach in cybersecurity.”
John Bambenek, president at Bambenek Consulting, added that as more organizations adopt cloud-first technology, it creates additional possibilities for malicious activity to go undetected.
“Organizations trust that these providers log the data correctly so they can detect problems, however, when there are failures or workarounds, malicious actors can use them to attack many organizations who are none the wiser,” said Bambenek. “Data theft is already a prolific and complicated problem and techniques like this make it even harder for defenders.”
Late in the day April 9 Microsoft issued a statement on the Varonis research, indicating that they disagreed with its conclusions:
“We're aware of this report and our customers do not need to take action. We have confirmed that the product is performing as expected, by detecting a file accessed and reporting that through the audit log. Security products and vendors should be using FileAccessed, FileDownloaded, plus two potential sync-related signals, FileSyncDownloadedFull and FileSyncDownloadedPartial audit events to monitor for file access. We've reassessed the severity of this report and have communicated to the finder that this behavior is by-design. Customers of a third-party monitoring solution should engage their solution provider if they are concerned.”
Eric Saraga, security research team leader at Varonis, and author of the SharePoint report, said his team stands by its comments in the April 9 blog: “We think that any method malicious actors can use to exfiltrate data and avoid detection is concerning, even if that is ultimately deemed to be by design.“
