A ‘potentially dangerous’ functionality in Office 365 and Microsoft 365 has been discovered that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker.
Cyber security firm Proofpoint said it focused its research on SharePoint Online and OneDrive within the 365 suites, finding that hackers can target an organisation’s data in the cloud, as well as launch attacks on cloud infrastructure.
RELATED RESOURCE
Securing endpoints amid new threats
Ensuring employees have the flexibility and security to work remotely
“Once executed, the attack encrypts the files in the compromised users’ accounts,” the Proofpoint team explained. “Just like with endpoint ransomware activity, those files can then only be retrieved with decryption keys.”
The vendor identified and laid out details of the attack chain, which it says can be automated using Microsoft APIs, command line interface (CLI) scripts and PowerShell scripts.
First, the attacker will gain access to one or more users’ SharePoint Online or OneDrive accounts by compromising or hijacking users’ identities. That enables an account takeover, providing access to any file owned by the compromised user or controlled by the third-party OAuth application, including the user’s OneDrive account.
The attacker will then reduce version limits of these files to a low number – such as 1 – and then encrypt each by more than that figure.
“This step is unique to cloud ransomware compared to the attack chain for endpoint-based ransomware,” Proofpoint noted. “In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic.”
Finally, this will then leave only the encrypted versions of the files in the account, enabling the attacker to monetise the situation and demand a ransom from the business.
To help counter this form of cloud ransomware attack, the vendor advised businesses use software that detects risky file configuration changes in Office 365 as user changes are not common behaviour. If a user makes these changes unknowingly, they should be made aware and asked to increase the version limit.
The cyber security firm also advised to improve security hygiene around ransomware, as well as ensure response and investigation measures incorporate Office 365 and Microsoft 365.
Proofpoint added that it has made the discovery known to Microsoft, but the flaw currently remains open for exploitation. In response, Microsoft said the configuration functionality for versioning settings is working as intended, while older versions of files are potentially able to be restored for an additional 14 days via Microsoft Support.
However, Proofpoint said attempts to retrieve and restore old versions using this process and “were not successful.”
-
Dragging your feet on Windows 11 migration? Rising infostealer threats might change thatNews With the clock ticking down to the Windows 10 end of life deadline in October, organizations are dragging their feet on Windows 11 migration – and leaving their devices vulnerable as a result.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
